Cyber · Trackr The Free Compliance Library
⌘K
DoD Compliance · STIG

Symantec Endpoint Protection 12.1 Managed Client Antivirus

V1R2 · · · Released 25 Jul 2014 · 114 rules
Compare

Pick two releases to diff their requirements.

View

Open a previous version of this STIG.

The Symantec Endpoint protection 12.1 Managed Client Antivirus STIG is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the NIST 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.
Sort by
c
The Symantec Endpoint Protection clients antivirus signature file age must be no older than 7 days.
SI-3 - High - CCI-001240 - V-42609 - SV-55337r1_rule
RMF Control
SI-3
Severity
H
CCI
CCI-001240
Version
DTASEP001
Vuln IDs
  • V-42609
Rule IDs
  • SV-55337r1_rule
Antivirus signature files are updated almost daily by antivirus software vendors. These files are made available to antivirus clients as they are published. Keeping virus signature files as current as possible is vital to the security of any system. Without current virus definitions the virus scan will not be able to detect new viruses, putting the system and network at risk.
Checks: C-48890r1_chk

Note: If the vendor or trusted site's files are also older than 7 days and match the date of the signature files on the machine, this is not a finding. On the client machine, locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. Under the Status tab, observe the "Definitions:" area for Virus and Spyware Protection, Proactive Threat Protection, and Network Threat Protection. Criteria: If the "Definitions:" date is older than 7 calendar days from the current date, this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate Criteria: If the "LatestVirusDefsDate" is older than 7 calendar days from the current date, this is a finding.

Fix: F-48191r1_fix

Update client machines via the Symantec Enterprise Console. If this fails to update the client, update the antivirus signature file as local process describes (e.g., auto update or LiveUpdate).

b
The Symantec Endpoint Protection client User-defined Exceptions option must not be configured to exclude any files from scanning unless exclusions have been documented with, and approved by, the IAO/IAM.
SI-3 - Medium - CCI-001242 - V-42610 - SV-55338r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001242
Version
DTASEP002
Vuln IDs
  • V-42610
Rule IDs
  • SV-55338r1_rule
When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring antivirus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware.
Checks: C-48891r1_chk

On the client machine, locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen -> Select "Change Settings" on the left side of the screen -> Select "Configure Settings" for Exceptions -> Ensure there are not any User-defined Exceptions listed that are not documented with, and approved by, the IAO/IAM. Criteria: If any User-defined Exceptions are listed, and not documented with, and approved by, the IAO/IAM, this is a finding.

Fix: F-48192r1_fix

On the client machine, locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen -> Select the "Change Settings" on the left side of the screen -> Select "Configure Settings" for Exceptions. Remove any User-defined Exceptions that are not documented with, and approved by, the IAO/IAM.

b
The Symantec Endpoint Protection client Global Settings for Log Retention must be enabled and configured to retain logs for 30 days.
SI-3 - Medium - CCI-001242 - V-42611 - SV-55339r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001242
Version
DTASEP003
Vuln IDs
  • V-42611
Rule IDs
  • SV-55339r1_rule
Log management is essential to ensuring that computer security records are stored in sufficient detail for an appropriate period of time. Routine log analysis is beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems. Logs are also useful when performing auditing and forensic analysis, supporting internal investigations, establishing baselines, and identifying operational trends and long-term problems. (FISMA 800-92)
Checks: C-48892r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Advanced Options -> Select Miscellaneous -> Select the Log Handling tab -> Under Log Retention -> Ensure "Delete logs older than" is set to 30 days or greater. Criteria: If "Delete logs older than" is not set to 30 days or greater, this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV Criteria: If the value data for the LogFileRollOverDays values is not 1e (the hex value for 30) or higher, this is a finding.

Fix: F-48193r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click on the applied policy -> Under Windows Settings, Advanced Options -> Select Miscellaneous -> Select the Log Handling tab -> Under Log Retention -> Set "Delete logs older than" to 30 days or greater.

b
The Symantec Endpoint Protection client must be scheduled to auto update.
SI-3 - Medium - CCI-001247 - V-42612 - SV-55340r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001247
Version
DTASEP004
Vuln IDs
  • V-42612
Rule IDs
  • SV-55340r1_rule
Antivirus signature files are updated almost daily by antivirus software vendors. These files are made available to antivirus clients as they are published. Keeping virus signature files as current as possible is vital to the security of any system. The antivirus software product must be configured to receive those updates automatically in order to afford the expected protection.
Checks: C-48893r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Under Policies, select LiveUpdate -> Double-click the applied policy -> Select Overview -> Under Policy Name -> Ensure "Enable this policy" is selected. Criteria: If "Enable this policy" is not selected, this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: 32 bit and 64 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\LiveUpdate\Schedule Criteria: If Enabled is not set to 1, this is a finding.

Fix: F-48194r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Under Policies, select LiveUpdate -> Double-click the applied policy -> Select Overview -> Under Policy Name -> Select "Enable this policy".

b
The Symantec Endpoint Protection client Tamper Protection must be configured to block attempts to tamper with or shut down the client.
SI-3 - Medium - CCI-001248 - V-42613 - SV-55341r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001248
Version
DTASEP005
Vuln IDs
  • V-42613
Rule IDs
  • SV-55341r1_rule
For antivirus software to be effective, it must be running at all times, beginning from the point of the system's initial startup. Otherwise, the risk is greater for viruses, Trojans and other malware infecting the system during that startup phase.
Checks: C-48894r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Clients -> Under Clients -> Select the client to be checked -> Under the Policies tab, Settings -> Select General Settings -> Under the Tamper Protection tab -> Ensure "Protect Symantec security software from being tampered with or shut down" is selected. Criteria: If "Protect Symantec security software from being tampered with or shut down" is not selected, this is a finding. Client check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Client Management -> Select Configure Settings -> Under the Tamper Protection tab -> Ensure "Protect Symantec security software from being tampered with or shut down" is selected. Criteria: If "Protect Symantec security software from being tampered with or shut down" is not selected, this is a finding.

Fix: F-48195r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Clients -> Under Clients -> Select the client to be checked -> Under the Policies tab, Settings -> Select General Settings -> Under the Tamper Protection tab -> Select "Protect Symantec security software from being tampered with or shut down".

c
The Symantec Endpoint Protection client must have the Symantec Client State Plug-in for ePO deployed.
SI-3 - High - CCI-001246 - V-42614 - SV-55342r1_rule
RMF Control
SI-3
Severity
H
CCI
CCI-001246
Version
DTASEP006
Vuln IDs
  • V-42614
Rule IDs
  • SV-55342r1_rule
All systems at DoD sites are managed by the site's HBSS ePO server for host based security. When sites choose to deploy Symantec AntiVirus products to their managed systems, these systems appear to HBSS as not protected for antivirus. When the HBSS ePO server uploads asset postures to US CYBERCOM, the systems will reflect as not having antivirus installed. In order that the Symantec status is reporting in the asset's posture within HBSS, the Symantec Client Status plug-in needs to be deployed to the Symantec-install system from the HBSS ePO server and verified to be reporting its Symantec status back to the ePO server.
Checks: C-48895r1_chk

On the system to which the Symantec Endpoint Protection has been installed, find the McAfee Agent icon (red shield with white M) in the taskbar. Right click on the icon and choose "About". The dialog box which opens will reflect all installed products being managed by the McAfee Agent, as deployed from the McAfee HBSS ePO server. Verify "Symantec Plugin" is listed as an installed product. If the McAfee Agent "About" properties do not include the Symantec Plugin as an installed product, this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: 32 bit and 64 bit: HKLM\SOFTWARE\Network Associates\ePolicy Orchestrator\Application Plugins If the subkey "S_SYMC_1000" does not exist, this is a finding.

Fix: F-48196r1_fix

The fix will require the assistance of the HBSS administrator. The HBSS should deploy the Symantec Client State Plugin from the HBSS ePO server and verify the system accurately reflects its installation.

b
The Symantec Endpoint Protection client must be verified as uploading SEP client detail to ePO.
SI-3 - Medium - CCI-001246 - V-42615 - SV-55343r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001246
Version
DTASEP007
Vuln IDs
  • V-42615
Rule IDs
  • SV-55343r1_rule
All systems at DoD sites are managed by the site's HBSS ePO server for host based security. When sites choose to deploy Symantec AntiVirus products to their managed systems, these systems appear to HBSS as not protected for antivirus. When the HBSS ePO server uploads asset postures to US CYBERCOM, the systems will reflect as not having antivirus installed. In order that the Symantec status be reported in the asset's posture within HBSS, the Symantec Client Status plug-in needs to be deployed to the Symantec-install system from the HBSS ePO server and verified to be reporting its Symantec status back to the ePO server.
Checks: C-48896r1_chk

On the system to which the Symantec Endpoint Protection has been installed, open a Windows Explorer window and navigate to C:\ProgramData\McAfee\Common Framework (on 64-bit systems) or C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework (on 32-bit systems). Find and open with Internet Explorer the file named LastPropsSentToServer.xml. Verify the following information in the file: <LastUpdate> should be recent (current day) SoftwareID="S_SEPEVT1100" Setting name="ProductName">Symantec Endpoint Protection Setting name="szProductVer">12.1.1101.401 If the LastPropsSentToServer.xml does not reflect a current <LastUpdate> date and/or does not include a section for SoftwareID="S_SEPEVT1100", this is a finding.

Fix: F-48197r1_fix

The fix will require assistance of the HBSS administrator. The HBSS administrator should verify the McAfee Agent is successfully communicating to the ePO server. The HBSS administrator should redeploy the Symantec Client State Plugin and verify it uploads the Symantec client state correctly to the ePO server.

b
The Symantec Endpoint Protection client File Reputation Data Submission must be disabled from automatically forwarding selected anonymous security information to Symantec.
SI-3 - Medium - CCI-001242 - V-42616 - SV-55344r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001242
Version
DTASEP008
Vuln IDs
  • V-42616
Rule IDs
  • SV-55344r1_rule
Antivirus software vendors use collective intelligence from sensors and cross-vector intelligence from web, email and network threats to compile scores that reflect the likelihood of whether a file in question is malware. The collective intelligence is constantly being updated, more frequently than the typical daily antivirus signature files. With File Reputation lookup, a more real-time response to potential malicious code is realized than with the local-running antivirus software, since querying the cloud-based database when a file appears to be suspicious provides up- to- the minute intelligence. This type of protection reduces the threat protection time period from days to milliseconds, increases malware detection rates and reduces downtime and remediation costs associated with malware attacks. Using File Reputation lookup is mandated by US CYBERCOM on DoD systems.
Checks: C-48897r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Clients -> Under Clients -> Select the client to be checked -> Under the Policies tab, Settings -> Select External Communications Settings -> Under the Submissions tab -> Ensure "Let computers automatically forward selected anonymous security information to Symantec" is not selected. Criteria: If "Let computers automatically forward selected anonymous security information to Symantec" is selected, this is a finding. Client check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Client Management -> Select Configure Settings -> Under the Submissions tab - > Ensure "Let this computer automatically forward selected anonymous security information to Symantec" is not selected. Criteria: If "Let this computer automatically forward selected anonymous security information to Symantec" is selected, this is a finding.

Fix: F-48198r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Clients -> Under Clients -> Select the client to be checked -> Under the Policies tab, Settings -> Select External Communications Settings -> Under the Submissions tab -> Ensure "Let computers automatically forward selected anonymous security information to Symantec" is not selected.

b
The Symantec Endpoint Protection client Insight Lookup for threat detection must be enabled.
SI-3 - Medium - CCI-001242 - V-42617 - SV-55345r2_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001242
Version
DTASEP009
Vuln IDs
  • V-42617
Rule IDs
  • SV-55345r2_rule
Antivirus software vendors use collective intelligence from sensors and cross-vector intelligence from web, email and network threats to compile scores that reflect the likelihood of whether a file in question is malware. The collective intelligence is constantly being updated, more frequently than the typical daily antivirus signature files. With File Reputation lookup, a more real-time response to potential malicious code is realized than with the local-running antivirus software, since querying the cloud-based database when a file appears to be suspicious provides up- to- the minute intelligence. This type of protection reduces the threat protection time period from days to milliseconds, increases malware detection rates and reduces downtime and remediation costs associated with malware attacks. Using File Reputation lookup is mandated by US CYBERCOM on DoD systems.
Checks: C-48898r5_chk

Note: This check is Not Applicable for SIPRnet or higher networks. Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans, select Administrator-Defined Scans -> Select the applied scan and click Edit -> Select the Insight Lookup tab -> Ensure "Enable Insight for:" is selected. Criteria: If "Enable Insight for:" is not selected, this is a finding. Client check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to the open Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Global Settings tab, Scan Options -> Ensure "Enable Insight for:" is selected. Criteria: If "Enable Insight for:" is not selected, this is a finding.

Fix: F-48199r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans select Administrator-Defined Scans -> Select the applied scan and click Edit -> Select the Insight Lookup tab -> Select "Enable Insight for:".

c
The Symantec Endpoint Protection client File System Auto-Protect must be enabled.
SI-3 - High - CCI-001242 - V-42628 - SV-55356r1_rule
RMF Control
SI-3
Severity
H
CCI
CCI-001242
Version
DTASEP010
Vuln IDs
  • V-42628
Rule IDs
  • SV-55356r1_rule
For antivirus software to be effective, it must be running at all times, beginning from the point of the system's initial startup. Otherwise, the risk is greater for viruses, Trojans and other malware infecting the system during that startup phase.
Checks: C-48901r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Protection Technology, Select Auto-Protect -> Select the Scan Details tab -> Ensure "Enable Auto-Protect" is selected. Criteria: If "Enable Auto-Protect" is not selected, this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan Criteria: If the value of APEOff is not 0, this is a finding.

Fix: F-48213r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Protection Technology, select Auto-Protect -> Select the Scan Details tab -> Select "Enable Auto-Protect".

b
The Symantec Endpoint Protection client Auto-Protect reload must be configured to stop and reload when the configuration changes.
SI-3 - Medium - CCI-001242 - V-42630 - SV-55358r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001242
Version
DTASEP011
Vuln IDs
  • V-42630
Rule IDs
  • SV-55358r1_rule
Antivirus software is the most commonly used technical control for malware threat mitigation. Antivirus software on hosts should be configured to scan all hard drives regularly to identify any file system infections and to scan any removable media, if applicable, before media is inserted into the system. Not scheduling a regular scan of the hard drives of a system and/or not configuring the scan to scan all files and running processes, introduces a higher risk of threats going undetected.
Checks: C-48902r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Protection Technology, select Auto-Protect -> Select the Advanced tab -> Under Auto-Protect Reloading and Enablement, When Auto-Protect must be reloaded -> Ensure "Stop and reload Auto-Protect" is selected. Criteria: If "Stop and reload Auto-Protect" is not selected, this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan Criteria: If the value of ConfigRestart is not 1, this is a finding.

Fix: F-48215r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click on the applied policy -> Under Windows Settings, Protection Technology, select Auto-Protect -> Select the Advanced tab -> Under Auto-Protect Reloading and Enablement, When Auto-Protect must be reloaded -> Select "Stop and reload Auto-Protect".

b
The Symantec Endpoint Protection client Auto-Protect File Types options must be configured to scan all files.
SI-3 - Medium - CCI-001242 - V-42632 - SV-55360r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001242
Version
DTASEP012
Vuln IDs
  • V-42632
Rule IDs
  • SV-55360r1_rule
When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring antivirus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware.
Checks: C-48903r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Protection Technology, select Auto-Protect -> Select the Scan Details tab -> Under Scanning, File types -> Ensure "Scan all files" is selected. Criteria: If "Scan all files" is not selected, this is a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan 64 bit: HKLM\SOFTWARE\Wow632Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan Criteria: If the value of FileType is not 0, this is a finding.

Fix: F-48216r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Protection Technology, select Auto-Protect -> Select the Scan Items tab -> Under Scanning, File types -> Select "Scan all files".

b
The Symantec Endpoint Protection Auto-Protect client Detection Options must be configured to display a notification to the user when a risk is detected.
SI-3 - Medium - CCI-001242 - V-42633 - SV-55361r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001242
Version
DTASEP013
Vuln IDs
  • V-42633
Rule IDs
  • SV-55361r1_rule
An effective awareness program explains proper rules of behavior for use of an organization's IT systems and information. Accordingly, awareness programs should include guidance to users on malware incident prevention, which can help reduce the frequency and severity of malware incidents. Organizations should also make users aware of policies and procedures that apply to malware incident handling, such as how to identify if a host may be infected, how to report a suspected incident, and what users need to do to assist with incident handling Having the antivirus software alert a users when a risk is detected will ensure the user is aware of the incident and be able to more closely relate the incident to any action(s) being performed by the user at the time of the detection.
Checks: C-48904r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Protection Technology -> Select Auto-Protect -> Select the Notifications tab -> Under Notifications -> Ensure "Display a notification message on the infected computer" is selected. Criteria: If "Display a notification message on the infected computer" is not selected, this is a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan Criteria: If the value of MessageBox is not 1, this is a finding.

Fix: F-48217r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Protection Technology, select Auto-Protect -> Select the Notifications tab -> Under Notifications -> Select "Display a notification message on the infected computer".

b
The Symantec Endpoint Protection client Auto-Protect Advanced Options must be configured to scan files when accessed or modified.
SI-3 - Medium - CCI-001242 - V-42634 - SV-55362r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001242
Version
DTASEP014
Vuln IDs
  • V-42634
Rule IDs
  • SV-55362r1_rule
Interpreted viruses are executed by an application. Within this subcategory, macro viruses take advantage of the capabilities of applications' macro programming language to infect application documents and document templates, while scripting viruses infect scripts that are understood by scripting languages processed by services on the OS. Many attackers use toolkits containing several different types of utilities and scripts that can be used to probe and attack hosts. (NIST SP 800-83) The scanning of files when accessed or modified is crucial in preventing these attacks.
Checks: C-48905r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Protection Technology -> Select Auto-Protect -> Select the Scan Details tab -> Under Scanning, Additional Options -> Select Advanced Scanning and Monitoring -> Under Scan Files When -> Ensure "Scan when a file is accessed or modified" is selected. Criteria: If "Scan when a file is accessed or modified" is not selected, this is a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan Criteria: If the value of Reads is not 1, this is a finding.

Fix: F-48218r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Protection Technology, select Auto-Protect -> Select the Scan Details tab -> Under Scanning, Additional Options -> Select Advanced Scanning and Monitoring -> Under Scan Files When -> Select "Scan when a file is accessed or modified" .

b
The Symantec Endpoint Protection client Auto-Protect Backup Option must be disabled to prevent backing up infected files before attempting to repair them.
SI-3 - Medium - CCI-001242 - V-42635 - SV-55363r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001242
Version
DTASEP015
Vuln IDs
  • V-42635
Rule IDs
  • SV-55363r1_rule
For antivirus software to be effective, it must be running at all times, beginning from the point of the system's initial startup. Otherwise, the risk is greater for viruses, Trojans, and other malware infecting the system during that startup phase.
Checks: C-48906r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Protection Technology -> Select Auto-Protect -> Select the Actions -> Under Remediation -> Ensure "Back up files before attempting to repair them" is NOT selected. Criteria: If "Back up files before attempting to repair them" is selected, this is a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan Criteria: If the value of BackupToQuarantine is not 0, this is a finding.

Fix: F-48219r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Protection Technology -> Select Auto-Protect -> Select the Actions -> Under Remediation -> Ensure "Back up files before attempting to repair them" is NOT selected.

b
The Symantec Endpoint Protection client Auto-Protect Advanced Options Automatic enablement setting must be enabled.
SI-3 - Medium - CCI-001242 - V-42636 - SV-55364r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001242
Version
DTASEP016
Vuln IDs
  • V-42636
Rule IDs
  • SV-55364r1_rule
For antivirus software to be effective, it must be running at all times, beginning from the point of the system's initial startup. Otherwise, the risk is greater for viruses, Trojans, and other malware infecting the system during that startup phase.
Checks: C-48907r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Protection Technology, select Auto-Protect -> Select the Advanced tab -> Under Auto-Protect Reloading and Enablement, When Auto-Protect is disabled -> Ensure "Enable after:" is selected -> Ensure the time limit is set to 5 minutes or less. Criteria: If "When Auto-Protect is disabled, enable after:" is not selected, this is a finding. If "When Auto-Protect is disabled, enable after:" is selected and the time limit is not set to 5 minutes or less, this is a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan Criteria: If the value of APEOn is not 1 and the value of APESleep is not <= 5, this is a finding. If APESleep is > 5 or APEOn is not 1, this is a finding.

Fix: F-48221r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Protection Technology, select Auto-Protect -> Select the Advanced tab -> Under Auto-Protect Reloading and Enablement, When Auto-Protect is disabled -> Select "Enable after:" -> Set time limit to 5 minutes or less.

b
The Symantec Endpoint Protection client Auto-Protect Advanced Options Floppy Settings must be enabled to scan for boot viruses.
SI-3 - Medium - CCI-001242 - V-42637 - SV-55365r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001242
Version
DTASEP017
Vuln IDs
  • V-42637
Rule IDs
  • SV-55365r1_rule
Computer viruses in the early days of personal computing were almost exclusively passed around by floppy disks. Floppy disks would be used to boot the computer and, if infected, would infect the hard drive files, as well. Although floppy drives have fallen out of use, it is still a good security practice, whenever the antivirus software allows, to enable the scanning software to scan a floppy disk.
Checks: C-48908r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Protection Technology -> Select Auto-Protect -> Select the Scan Details tab -> Under Scanning, Additional Options -> Select Advanced Scanning and Monitoring -> Under Floppy Settings -> Ensure "Check floppies for boot viruses when accessed" is selected. Criteria: If "Check floppies for boot viruses when accessed" is not selected, this is a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan Criteria: If the value of ScanFloppyBROnAccess is not 1, this is a finding.

Fix: F-48222r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Protection Technology -> Select Auto-Protect -> Select the Scan Details tab -> Under Scanning, Additional Options -> Select Advanced Scanning and Monitoring -> Under Floppy Settings -> Select "Check floppies for boot viruses when accessed".

b
The Symantec Endpoint Protection client Auto-Protect Advanced Options Floppy Settings must be configured to check floppies when system shuts down.
SI-3 - Medium - CCI-001242 - V-42638 - SV-55366r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001242
Version
DTASEP018
Vuln IDs
  • V-42638
Rule IDs
  • SV-55366r1_rule
Computer viruses in the early days of personal computing were almost exclusively passed around by floppy disks. Floppy disks would be used to boot the computer and, if infected, would infect the hard drive files, as well. Although floppy drives have fallen out of use, it is still a good security practice, whenever the antivirus software allows, to enable the scanning software to scan a floppy disk at shutdown.
Checks: C-48909r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Protection Technology, select Auto-Protect -> Select the Advanced tab -> Under Startup and Shutdown -> Ensure "Check floppies when the computer shuts down" is selected. Criteria: If "Check floppies when the computer shuts down" is not selected, this is a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan Criteria: If the value of SkipShutDownFloppyCheck is not 0, this is a finding.

Fix: F-48223r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Protection Technology, select Auto-Protect -> Select the Advanced tab -> Under Startup and Shutdown -> Select "Check floppies when the computer shuts down".

b
The Symantec Endpoint Protection client Auto-Protect option to Scan for Security Risks must be enabled.
SI-3 - Medium - CCI-001242 - V-42640 - SV-55368r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001242
Version
DTASEP019
Vuln IDs
  • V-42640
Rule IDs
  • SV-55368r1_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attack mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. The scanning for unknown program viruses will mitigate zero day attacks.
Checks: C-48910r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Protection Technology -> Select Auto-Protect -> Select the Scan Details tab -> Under Scanning, Additional Options -> Ensure "Scan for security risks" is selected. Criteria: If "Scan for security risks" is not selected, this is a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan Criteria: If the value of RespondToThreats is not 3, this is a finding.

Fix: F-48224r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Protection Technology -> Select Auto-Protect -> Select the Scan Details tab -> Under Scanning, Additional Options -> Select "Scan for security risks".

b
The Symantec Endpoint Protection client Auto-Protect option to Delete newly created infected files must be enabled.
SI-3 - Medium - CCI-001242 - V-42641 - SV-55369r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001242
Version
DTASEP020
Vuln IDs
  • V-42641
Rule IDs
  • SV-55369r1_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attack mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to delete the file first will prevent the infection from spreading.
Checks: C-48911r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Protection Technology -> Select Auto-Protect -> Select the Scan Details tab -> Under Scanning, Additional Options -> Select Advanced Scanning and Monitoring -> Under Other Options -> Ensure "Always delete newly created infected files" is selected. Criteria: If "Always delete newly created infected files" is not selected, this is a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan Criteria: If the value of DeleteInfectedOnCreate is not 1, this is a finding.

Fix: F-48225r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Protection Technology -> Select Auto-Protect -> Select the Scan Details tab -> Under Scanning, Additional Options -> Select Advanced Scanning and Monitoring -> Under Other Options -> Select "Always delete newly created infected files".

b
The Symantec Endpoint Protection client Auto-Protect Risk Tracer must be enabled.
SI-3 - Medium - CCI-001242 - V-42642 - SV-55370r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001242
Version
DTASEP021
Vuln IDs
  • V-42642
Rule IDs
  • SV-55370r1_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attack mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to delete the file first will prevent the infection from spreading.
Checks: C-48912r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Protection Technology -> Select Auto-Protect -> Select the Advanced tab -> Under Additional Options -> Select Risk Tracer -> Ensure "Enable Risk Tracer", is selected. Criteria: If "Enable Risk Tracer", is not selected, this is a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan Criteria: If the value of ThreatTracerOnOff is not 1, this is a finding.

Fix: F-48226r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Protection Technology -> Select Auto-Protect -> Select the Advanced tab -> Under Additional Options -> Select Risk Tracer -> Select "Enable Risk Tracer".

b
The Symantec Endpoint Protection client Auto-Protect Risk Tracer must be configured to resolve source IP address.
SI-3 - Medium - CCI-001242 - V-42643 - SV-55371r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001242
Version
DTASEP022
Vuln IDs
  • V-42643
Rule IDs
  • SV-55371r1_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attack mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to delete the file first will prevent the infection from spreading.
Checks: C-48913r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Protection Technology -> Select Auto-Protect -> Select the Advanced tab -> Under Additional Options -> Select Risk Tracer -> Ensure "Resolve the source computer IP address", is selected. Criteria: If "Resolve the source computer IP address", is not selected, this is a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan Criteria: If the value of ThreatTracerResolveIP is not 1, this is a finding.

Fix: F-48227r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Protection Technology -> Select Auto-Protect -> Select the Advanced tab -> Under Additional Options -> Select Risk Tracer -> Select "Resolve the source computer IP address".

b
The Symantec Endpoint Protection client Auto-Protect Risk Tracer must be configured to poll network sessions.
SI-3 - Medium - CCI-001242 - V-42644 - SV-55372r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001242
Version
DTASEP023
Vuln IDs
  • V-42644
Rule IDs
  • SV-55372r1_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attack mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to delete the file first will prevent the infection from spreading.
Checks: C-48914r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Protection Technology -> Select Auto-Protect -> Select the Advanced tab -> Under Additional Options -> Select Risk Tracer -> Ensure "Poll for network sessions every:" is selected and set to 10000 milliseconds. Criteria: If "Poll for network sessions every:" is not selected and set to 10000 milliseconds, this is a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan Criteria: If the value of ThreatTracerSleepMsecs is not set to at least 10000 milliseconds, this is a finding.

Fix: F-48228r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Protection Technology -> Select Auto-Protect -> Select the Advanced tab -> Under Additional Options -> Select Risk Tracer -> Select "Poll for network sessions every:" and set it to 10000 milliseconds.

b
The Symantec Endpoint Protection client Global Settings Bloodhound heuristic technology must be enabled.
SI-3 - Medium - CCI-001242 - V-42645 - SV-55373r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001242
Version
DTASEP024
Vuln IDs
  • V-42645
Rule IDs
  • SV-55373r1_rule
Bloodhound Virus detection scans outgoing email messages and helps to prevent the spread of threats such as worms that can use email clients to replicate and distribute themselves across a network.
Checks: C-48915r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Advanced options, select Global Scan Options -> Under Bloodhound Detection Settings -> Ensure "Enable Bloodhound heuristic virus detection" is selected. Criteria: If "Enable Bloodhound heuristic virus detection" is not selected, this is a finding. Client check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Global Settings tab -> Under Scan Options -> Ensure "Enable Bloodhound heuristic virus detection" is selected. Criteria: If "Enable Bloodhound heuristic virus detection" is not selected, this is a finding.

Fix: F-48229r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Advanced options, select Global Scan Options -> Under Bloodhound Detection Settings -> Select "Enable Bloodhound heuristic virus detection".

b
The Symantec Endpoint Protection client Global Settings must be configured to use Insight Lookup for File Reputation.
SI-3 - Medium - CCI-001242 - V-42646 - SV-55374r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001242
Version
DTASEP025
Vuln IDs
  • V-42646
Rule IDs
  • SV-55374r1_rule
Antivirus software vendors use collective intelligence from sensors and cross-vector intelligence from web, email, and network threats to compile scores that reflect the likelihood of whether a file in question is malware. The collective intelligence is constantly being updated, more frequently than the typical daily antivirus signature files. With File Reputation lookup, a more real-time response to potential malicious code is realized than with the local-running antivirus software since querying the cloud-based database when a file appears to be suspicious provides up- to- the- minute intelligence. This type of protection reduces the threat protection time period from days to milliseconds, increases malware detection rates, and reduces downtime and remediation costs associated with malware attacks. Using File Reputation lookup is mandated by US CYBERCOM on DoD systems.
Checks: C-48916r3_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Advanced options, select Global Scan Options -> Under Insight settings -> Ensure "Enable Insight for:" is selected. Criteria: If "Enable Insight for:" is not selected, this is a finding. Client check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to the open Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Global Settings tab, Scan Options -> Ensure "Enable Insight for:" is selected. Criteria: If "Enable Insight for:" is not selected, this is a finding.

Fix: F-48230r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Advanced options, select Global Scan Options -> Under Insight settings -> Select "Enable Insight for:".

b
The Symantec Endpoint Protection client Global Settings Heuristics Level must be set to Automatic, at a minimum.
SI-3 - Medium - CCI-001242 - V-42647 - SV-55375r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001242
Version
DTASEP026
Vuln IDs
  • V-42647
Rule IDs
  • SV-55375r1_rule
Heuristics analyzes a program's structure, its behavior, and other attributes for virus-like characteristics. In many cases, it can protect against threats such as mass-mailing worms and macro viruses if they are encountered before updating virus definitions. Advanced heuristics looks for script-based threats in HTML, VBScript, and JavaScript files.
Checks: C-48917r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Advanced options, select Global Scan Options -> Under Bloodhound Detection Settings -> Ensure "Enable Bloodhound heuristic virus detection" is set to Automatic, at a minimum. Criteria: If "Enable Bloodhound heuristic virus detection" is not set to Automatic, at a minimum, this is a finding. Client check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Change settings -> Under Virus and Spyware Protection -> Select Configure Settings -> Under the Global Settings tab -> Under Scan Options -> Ensure "Enable Bloodhound heuristic virus detection" is set to Automatic at a minimum. Criteria: If "Enable Bloodhound heuristic virus detection" is not set to Automatic, at a minimum, this is a finding.

Fix: F-48231r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Advanced options, select Global Scan Options -> Under Bloodhound Detection Settings -> Set "Enable Bloodhound heuristic virus detection" to Automatic, at a minimum.

b
The Symantec Endpoint Protection client Auto-Protect Scan Actions settings must be explicitly configured at the top, Malware, level and not be overridden by sub-levels.
SI-3 - Medium - CCI-001243 - V-42648 - SV-55376r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001243
Version
DTASEP027
Vuln IDs
  • V-42648
Rule IDs
  • SV-55376r1_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attack mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to delete the file first will prevent the infection from spreading.
Checks: C-48918r2_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Protection Technology -> Select Auto-Protect -> Select the Actions tab -> Under Actions -> Under Malware -> Select Virus -> Ensure "Override actions configured for Malware" is NOT selected. Criteria: If "Override actions configured for Malware" is selected, this is a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Malware Criteria: If the value of FirstAction is not 5, this is a finding. If the value of FirstAction is 5, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Malware\TCID-0 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Malware Criteria: If the value of FirstAction is not 5, this is a finding. If the value of FirstAction is 5, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Malware\TCID-0 is 0 or the value is not there, this is not a finding.

Fix: F-48232r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Protection Technology -> Select Auto-Protect -> Select the Actions tab -> Under Actions -> Under Malware -> Select Virus -> Ensure "Override actions configured for Malware" is NOT selected.

b
The Symantec Endpoint Protection client Auto-Protect Scan Actions for Malware must be configured to Clean Risk as the first action upon detection.
SI-3 - Medium - CCI-001243 - V-42649 - SV-55377r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001243
Version
DTASEP028
Vuln IDs
  • V-42649
Rule IDs
  • SV-55377r1_rule
Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option so as to ensure the malware is not introduced onto the system or network.
Checks: C-48919r2_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Protection Technology -> Select Auto-Protect -> Select the Actions tab -> Under Actions -> Select Malware -> Ensure First action is set to "Clean Risk". Criteria: If First action is not set to "Clean Risk", this is a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Malware 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Malware Criteria: If the value of "FirstAction" is not 5, this is a finding.

Fix: F-48233r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Protection Technology -> Select Auto-Protect -> Select the Actions tab -> Under Actions -> Select Malware -> Set First action to "Clean Risk".

b
The Symantec Endpoint Protection client Auto-Protect Scan Actions for Malware must be configured to Delete Risk if first action fails.
SI-3 - Medium - CCI-001243 - V-42650 - SV-55378r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001243
Version
DTASEP029
Vuln IDs
  • V-42650
Rule IDs
  • SV-55378r1_rule
Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option so as to ensure the malware is not introduced onto the system or network.
Checks: C-48920r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Protection Technology -> Select Auto-Protect -> Select the Actions tab -> Under Actions -> Select Malware -> Ensure If first action fails is set to "Delete Risk". Criteria: If first action fails is not set to "Delete Risk", this is a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Malware 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Malware Criteria: If the value of "SecondAction" is not 3, this is a finding.

Fix: F-48234r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Protection Technology -> Select Auto-Protect -> Select the Actions tab -> Under Actions -> Select Malware -> Set If first action fails to "Delete Risk".

b
The Symantec Endpoint Protection client Auto-Protect Scan Actions settings must be explicitly configured at the top, Security Risks, level and not be overridden by the Adware sub-level.
SI-3 - Medium - CCI-001243 - V-42651 - SV-55379r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001243
Version
DTASEP030
Vuln IDs
  • V-42651
Rule IDs
  • SV-55379r1_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attack mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to delete the file first will prevent the infection from spreading.
Checks: C-48921r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Protection Technology -> Select Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Adware -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec EndpointProtection\AV\Storages\Filesystem \RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded\TCID-10 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem \RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded\TCID-10 is 0 or the value is not there, this is not a finding.

Fix: F-48235r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Protection Technology -> Select Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Adware -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Auto-Protect Scan Actions settings must be explicitly configured at the top, Security Risks, level and not be overridden by the Dialer sub-level.
SI-3 - Medium - CCI-001243 - V-42652 - SV-55380r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001243
Version
DTASEP031
Vuln IDs
  • V-42652
Rule IDs
  • SV-55380r1_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attack mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to delete the file first will prevent the infection from spreading.
Checks: C-48922r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Protection Technology -> Select Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Dialer -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem \RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded\TCID-8 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem \RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded\TCID-8 is 0 or the value is not there, this is not a finding.

Fix: F-48236r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Protection Technology -> Select Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Dialer -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Auto-Protect Scan Actions settings must be explicitly configured at the top, Security Risks, level and not be overridden by the Hack Tool sub-level.
SI-3 - Medium - CCI-001243 - V-42653 - SV-55381r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001243
Version
DTASEP032
Vuln IDs
  • V-42653
Rule IDs
  • SV-55381r1_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attack mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to delete the file first will prevent the infection from spreading.
Checks: C-48923r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Protection Technology -> Select Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Hack Tool -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem \RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded\TCID-5 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem \RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded\TCID-5 is 0 or the value is not there, this is not a finding.

Fix: F-48237r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Protection Technology -> Select Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Hack Tool -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Auto-Protect Scan Actions settings must be explicitly configured at the top, Security Risks, level and not be overridden by the Joke Program sub-level.
SI-3 - Medium - CCI-001243 - V-42654 - SV-55382r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001243
Version
DTASEP033
Vuln IDs
  • V-42654
Rule IDs
  • SV-55382r1_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attack mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to delete the file first will prevent the infection from spreading.
Checks: C-48924r2_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Protection Technology -> Select Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Joke Program -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded\TCID-11 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded\TCID-11 is 0 or the value is not there, this is not a finding.

Fix: F-48238r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Protection Technology -> Select Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Joke Program -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Auto-Protect Scan Actions settings must be explicitly configured at the top, Security Risks, level and not be overridden by the Misleading Application sub-level.
SI-3 - Medium - CCI-001243 - V-42655 - SV-55383r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001243
Version
DTASEP034
Vuln IDs
  • V-42655
Rule IDs
  • SV-55383r1_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attack mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to delete the file first will prevent the infection from spreading.
Checks: C-48925r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Protection Technology -> Select Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Misleading Application -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded\TCID-14 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded\TCID-14 is 0 or the value is not there, this is not a finding.

Fix: F-48239r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Protection Technology -> Select Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Misleading Application -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Auto-Protect Scan Actions settings must be explicitly configured at the top, Security Risks, level and not be overridden by the Parental Control sub-level.
SI-3 - Medium - CCI-001243 - V-42656 - SV-55384r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001243
Version
DTASEP035
Vuln IDs
  • V-42656
Rule IDs
  • SV-55384r1_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attack mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to delete the file first will prevent the infection from spreading.
Checks: C-48926r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Protection Technology -> Select Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Parental Control -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded\TCID-17 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded\TCID-17 is 0 or the value is not there, this is not a finding.

Fix: F-48240r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Protection Technology -> Select Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Parental Control -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Auto-Protect Scan Actions settings must be explicitly configured at the top, Security Risks, level and not be overridden by the Remote Access sub-level.
SI-3 - Medium - CCI-001243 - V-42657 - SV-55385r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001243
Version
DTASEP036
Vuln IDs
  • V-42657
Rule IDs
  • SV-55385r1_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attack mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to delete the file first will prevent the infection from spreading.
Checks: C-48927r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Protection Technology -> Select Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Remote Access -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded\TCID-9 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded\TCID-9 is 0 or the value is not there, this is not a finding.

Fix: F-48241r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Protection Technology -> Select Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Remote Access -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Auto-Protect Scan Actions settings must be explicitly configured at the top, Security Risks, level and not be overridden by the Security Assessment Tool sub-level.
SI-3 - Medium - CCI-001243 - V-42658 - SV-55386r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001243
Version
DTASEP037
Vuln IDs
  • V-42658
Rule IDs
  • SV-55386r1_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attack mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to delete the file first will prevent the infection from spreading.
Checks: C-48928r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Protection Technology -> Select Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Security Assessment Tool -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded\TCID-13 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded\TCID-13 is 0 or the value is not there, this is not a finding.

Fix: F-48242r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Protection Technology -> Select Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Security Assessment Tool -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Auto-Protect Scan Actions settings must be explicitly configured at the top, Security Risks, level and not be overridden by the Security Risk sub-level.
SI-3 - Medium - CCI-001243 - V-42659 - SV-55387r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001243
Version
DTASEP038
Vuln IDs
  • V-42659
Rule IDs
  • SV-55387r1_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attack mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to delete the file first will prevent the infection from spreading.
Checks: C-48929r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Protection Technology -> Select Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Security Risk -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded\TCID-4 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded\TCID-4 is 0 or the value is not there, this is not a finding.

Fix: F-48243r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Protection Technology -> Select Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Security Risk -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Auto-Protect Scan Actions settings must be explicitly configured at the top, Security Risks, level and not be overridden by the Spyware sub-level.
SI-3 - Medium - CCI-001243 - V-42660 - SV-55388r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001243
Version
DTASEP039
Vuln IDs
  • V-42660
Rule IDs
  • SV-55388r1_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attack mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to delete the file first will prevent the infection from spreading.
Checks: C-48930r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Protection Technology -> Select Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Spyware -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded\TCID-6 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded\TCID-6 is 0 or the value is not there, this is not a finding.

Fix: F-48244r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Protection Technology -> Select Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Spyware -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Auto-Protect Scan Actions settings must be explicitly configured at the top, Security Risks, level and not be overridden by the Trackware sub-level.
SI-3 - Medium - CCI-001243 - V-42661 - SV-55389r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001243
Version
DTASEP040
Vuln IDs
  • V-42661
Rule IDs
  • SV-55389r1_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attack mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to delete the file first will prevent the infection from spreading.
Checks: C-48931r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Protection Technology -> Select Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Trackware -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded\TCID-7 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded\TCID-7 is 0 or the value is not there, this is not a finding.

Fix: F-48245r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Protection Technology -> Select Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Trackware -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Auto-Protect Scan Actions for Security Risks must be configured to Delete Risk as the first action upon detection.
SI-3 - Medium - CCI-001243 - V-42662 - SV-55390r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001243
Version
DTASEP041
Vuln IDs
  • V-42662
Rule IDs
  • SV-55390r1_rule
Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt to delete the infected file, availability to the file is not sacrificed. If a deleting attempt is not successful, however, quarantining the file is the only safe option so as to ensure the malware is not introduced onto the system or network.
Checks: C-48932r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Protection Technology -> Select Auto-Protect -> Select the Actions tab -> Under Actions -> Select Security Risks -> Ensure First action is set to "Delete Risk". Criteria: If First action is not set to "Delete Risk", this is a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded Criteria: If the value of "FirstAction" is not 3, this is a finding.

Fix: F-48246r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Protection Technology -> Select Auto-Protect -> Select the Actions tab -> Under Actions -> Select Security Risks -> Set First action to "Delete Risk".

b
The Symantec Endpoint Protection client Auto-Protect Scan Actions for Security Risks must be configured to Quarantine Risk if first action fails.
SI-3 - Medium - CCI-001243 - V-42663 - SV-55391r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001243
Version
DTASEP042
Vuln IDs
  • V-42663
Rule IDs
  • SV-55391r1_rule
Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt to delete the infected file, availability to the file is not sacrificed. If a deleting attempt is not successful, however, quarantining the file is the only safe option so as to ensure the malware is not introduced onto the system or network.
Checks: C-48933r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Protection Technology -> Select Auto-Protect -> Select the Actions tab -> Under Actions -> Select Security Risks -> Ensure If first action fails is set to "Quarantine Risk". Criteria: If first action fails is not set to "Quarantine Risk", this is a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan\Expanded Criteria: If the value of "SecondAction" is not 1, this is a finding.

Fix: F-48247r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Protection Technology -> Select Auto-Protect -> Select the Actions tab -> Under Actions -> Select Security Risks -> Set If first action fails to "Quarantine Risk".

b
The Symantec Endpoint Protection client must be configured with a full scan scheduled to run at least weekly.
SI-3 - Medium - CCI-001241 - V-42664 - SV-55392r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001241
Version
DTASEP043
Vuln IDs
  • V-42664
Rule IDs
  • SV-55392r1_rule
Antivirus software is the most commonly used technical control for malware threat mitigation. Antivirus software on hosts should be configured to scan all hard drives regularly to identify any file system infections. Not scheduling a regular scan of the hard drives of a system and/or not configuring the scan to scan all files introduces a higher risk of threats going undetected.
Checks: C-48934r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans -> Ensure there is at least one full scan enabled that is Weekly or Daily. Criteria: If there is no full scan enabled that is Weekly or Daily, this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{scan ID}\Schedule 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{scan ID}\Schedule Criteria: If the value of SelectedScanType is not 2, the value of Type is not 1 or 2, and the value of Enabled is not 1, this is a finding.

Fix: F-48248r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans -> Create at least one enabled full daily or weekly scan.

b
The Symantec Endpoint Protection client scheduled weekly scan must be configured to scan memory.
SI-3 - Medium - CCI-001241 - V-42689 - SV-55417r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001241
Version
DTASEP044
Vuln IDs
  • V-42689
Rule IDs
  • SV-55417r1_rule
Antivirus software is the most commonly used technical control for malware threat mitigation. Antivirus software on hosts should be configured to scan all hard drives regularly to identify any file system infections. Not scheduling a regular scan of the hard drives of a system and/or not configuring the scan to scan all files introduces, a higher risk of threats going undetected.
Checks: C-48960r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans -> Double-click the Weekly Scan -> Under the Scan Details tab, Scanning -> Ensure "Memory" is selected. Criteria: If "Memory" is not selected, this is a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID} 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID} Criteria : If the value of ScanProcesses is not 1, this is a finding.

Fix: F-48274r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans -> Double-click the Weekly Scan -> Under the Scan Details tab, Scanning -> Select "Memory".

b
The Symantec Endpoint Protection client weekly scheduled scan must be configured to scan all file types or to scan excluded files option must be documented with, and approved by, IAO/IAM.
SI-3 - Medium - CCI-001241 - V-42691 - SV-55419r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001241
Version
DTASEP045
Vuln IDs
  • V-42691
Rule IDs
  • SV-55419r1_rule
When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring antivirus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware.
Checks: C-48962r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans -> Double-click the Weekly Scan -> Under the Scan Details tab, Scanning -> Ensure "Scan all files" is selected, or If "Scan Only Selected Extensions:" is selected -> Select Extensions -> Ensure any selected extensions are documented and approved by the IAO/IAM. Criteria: If "Scan all files" is not selected, or If "Scan Only Selected Extensions" is selected and the extensions are not documented with, and approved by, the IAO/IAM, this is a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID} 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID} Criteria: If the value of FileType is not 1, or If the value of "ExcludeByExtension", "HaveExceptionDirs", "HaveExceptionFiles" are 1, and the IAO/IAM has approved the use of exclusions, this is not a finding.

Fix: F-48276r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans -> Double-click the Weekly Scan -> Under the Scan Details tab, Scanning -> Select "Scan all files", or If "Scan Only Selected Extensions:" is selected -> Select Extensions -> Ensure any selected extensions are documented with, and approved by, the IAO/IAM.

b
The Symantec Endpoint Protection client weekly scheduled scan must be configured to use Insight File Reputation lookup, when scanning, set to a sensitivity level of at least 5 (Typical).
SI-3 - Medium - CCI-001241 - V-42693 - SV-55421r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001241
Version
DTASEP046
Vuln IDs
  • V-42693
Rule IDs
  • SV-55421r1_rule
Antivirus software vendors use collective intelligence from sensors and cross-vector intelligence from web, email, and network threats to compile scores that reflect the likelihood of whether a file in question is malware. The collective intelligence is constantly being updated, more frequently than the typical daily antivirus signature files. With File Reputation lookup, a more real-time response to potential malicious code is realized than with the local-running antivirus software since querying the cloud-based database when a file appears to be suspicious provides up- to- the- minute intelligence. This type of protection reduces the threat protection time period from days to milliseconds, increases malware detection rates, and reduces downtime and remediation costs associated with malware attacks. Using File Reputation lookup is mandated by US CYBERCOM on DoD systems.
Checks: C-48964r3_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans -> Double-click the Weekly Scan -> Under the Insight Lookup tab, Insight Lookup, select Level -> Ensure the slider is set to "5 (Typical)" or greater. Criteria: If the slider is not set to "5 (Typical)" or greater, this is a finding. Client check: Locate the Symantec Endpoint Protection icon in the system tray. Double-click the icon to open the Symantec Endpoint Protection configuration screen. On the left hand side, select Scan for Threats -> Double-click the applied policy -> Under Scan Options -> Select Insight Lookup -> Under Specify the sensitivity level -> Ensure the slider is set to "5 (Typical)" or greater. Criteria: If the slider is not set to "5 (Typical)" or greater, this is a finding.

Fix: F-48278r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans -> Double-click the Weekly Scan -> Under the Insight Lookup tab, Insight Lookup, select Level -> Set the slider to "5 (Typical)" or greater.

b
The Symantec Endpoint Protection client weekly scheduled scan actions for handling File Reputation lookup detections must be set to Quarantine Risk as first action.
SI-3 - Medium - CCI-001243 - V-42702 - SV-55430r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001243
Version
DTASEP047
Vuln IDs
  • V-42702
Rule IDs
  • SV-55430r1_rule
This setting is required for the weekly scan parameter Security Risks First Action policy. When a security risk is detected, the first action to be performed must be the option to quarantine the risk.
Checks: C-48966r3_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans -> Double-click the Weekly Scan -> Under the Insight Lookup tab, Malicious files -> Ensure First action is set to "Quarantine Risk". Criteria: If First action is not set to "Quarantine Risk", this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}\Malware\TCID-18 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}\Malware\TCID-18 Criteria: If the value of FirstAction is not 1, this is a finding.

Fix: F-48287r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans -> Double-click the Weekly Scan -> Under the Insight Lookup tab, Malicious files -> Set First action to "Quarantine Risk".

b
The Symantec Endpoint Protection client weekly scheduled scan actions for handling File Reputation lookup detections must be set to Leave alone (log only) if first action fails.
SI-3 - Medium - CCI-001243 - V-42703 - SV-55431r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001243
Version
DTASEP048
Vuln IDs
  • V-42703
Rule IDs
  • SV-55431r1_rule
This setting is required for the weekly scan parameter Security Risks First Action policy. When a Security Risk is detected, the if the first action fails, the second action must be set to "Leave alone (log only)".
Checks: C-48974r3_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans -> Double-click the Weekly Scan -> Under the Insight Lookup tab, Malicious files -> Ensure If first action fails is set to "Leave alone (log only)". Criteria: If first action fails is not set to "Leave alone (log only)", this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}\Malware\TCID-18 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}\Malware\TCID-18 Criteria: If the value of SecondAction is not 4, this is a finding.

Fix: F-48288r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans -> Double-click the Weekly Scan -> Under the Insight Lookup tab, Malicious files -> Set If first action fails to "Leave alone (log only)".

b
The Symantec Endpoint Protection client weekly scheduled scan must be configured to display a message to the user if a virus is detected.
SI-3 - Medium - CCI-001241 - V-42704 - SV-55432r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001241
Version
DTASEP049
Vuln IDs
  • V-42704
Rule IDs
  • SV-55432r1_rule
An effective awareness program explains proper rules of behavior for use of an organization's IT systems and information. Accordingly, awareness programs should include guidance to users on malware incident prevention, which can help reduce the frequency and severity of malware incidents. Organizations should also make users aware of policies and procedures that apply to malware incident handling, such as how to identify if a host may be infected, how to report a suspected incident, and what users need to do to assist with incident handling Having the antivirus software alert a user when a risk is detected will ensure the user is aware of the incident, and will make it possible to more closely relate the incident to any action(s) being performed by the user at the time of the detection.
Checks: C-48975r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans -> Double-click the Weekly Scan -> under the Notifications tab, Notifications -> Ensure "Display a notification message on the infected computer" is selected. Criteria: If "Display a notification message on the infected computer" is not selected, this is a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{scan ID} 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{scan ID} Criteria: If the value MessageBox is not 1, this is a finding.

Fix: F-48289r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans -> Double-click the Weekly Scan -> Under the Notifications tab, Notifications -> Select "Display a notification message on the infected computer".

b
The Symantec Endpoint Protection client weekly scheduled scan must be configured to scan compressed files.
SI-3 - Medium - CCI-001241 - V-42705 - SV-55433r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001241
Version
DTASEP050
Vuln IDs
  • V-42705
Rule IDs
  • SV-55433r1_rule
Malware is often packaged within compressed files. In addition, compressed files might have other compressed files within. Not scanning compressed files introduces the risk of infected files being introduced into the environment.
Checks: C-48976r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click on the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans -> Double-click on Weekly Scan -> Under the Scan Details tab, Scanning, Enhance the scan by checking -> Select Advanced Scanning Options -> Under the Compressed Files, Scanning Compressed Files -> Ensure "Scan files inside compressed files" is selected. Criteria: If "Scan files inside compressed files" is not selected, this is a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID} 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID} Criteria: If the value of ZipFile is not 1, this is a finding.

Fix: F-48290r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans -> Double-click the Weekly Scan -> Under the Scan Details tab, Scanning, Enhance the scan by checking -> Select Advanced Scanning Options -> under the Compressed Files, Scanning Compressed Files -> Select "Scan files inside compressed files".

b
The Symantec Endpoint Protection client weekly scheduled scan must be configured to prevent users from stopping a scheduled scan.
SI-3 - Medium - CCI-001241 - V-42706 - SV-55434r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001241
Version
DTASEP052
Vuln IDs
  • V-42706
Rule IDs
  • SV-55434r1_rule
Antivirus software is the mostly commonly used technical control for malware threat mitigation. Antivirus software on hosts should be configured to scan all hard drives regularly to identify any file system infections and to scan any removable media, if applicable, before media is inserted into the system. Not scheduling a regular scan of the hard drives of a system and/or not configuring the scan to scan all files and running processes introduces, a higher risk of threats going undetected.
Checks: C-48978r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans -> Double-click the Weekly Scan -> Under the Advanced, Scan Progress Options -> Ensure "Allow the user to stop a scan" is NOT selected. Criteria: If "Allow the user to stop a scan" is selected, this is a finding. Client Check: There is no way to properly validate on the client side. It must be performed on the server.

Fix: F-48292r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans -> Double-click the Weekly Scan -> Under the Advanced, Scan Progress Options -> Ensure "Allow the user to stop a scan" is NOT selected.

b
The Symantec Endpoint Protection client weekly scheduled scan must be configured for scanning load points.
SI-3 - Medium - CCI-001241 - V-42707 - SV-55435r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001241
Version
DTASEP053
Vuln IDs
  • V-42707
Rule IDs
  • SV-55435r1_rule
When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring antivirus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware.
Checks: C-48979r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans ->Double-click the Weekly Scan -> Under the Scan Details tab -> Ensure "Common infection locations" is selected. Criteria: If "Common infection locations" is not selected, this is a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID} 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID} Criteria: If the value of ScanLoadPoints is not 1, this is a finding.

Fix: F-48293r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans -> Double-click the Weekly Scan -> Under the Scan Details tab -> Select "Common infection locations".

b
The Symantec Endpoint Protection client weekly scheduled scan must be configured for scanning well-known viruses and security risks.
SI-3 - Medium - CCI-001241 - V-42708 - SV-55436r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001241
Version
DTASEP054
Vuln IDs
  • V-42708
Rule IDs
  • SV-55436r1_rule
When scanning for malware, excluding specific file types will increase the risk of a malware-infected file going undetected. By configuring antivirus software to scan all file types, the scanner has a higher success rate at detecting and eradicating malware.
Checks: C-48980r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans -> Double-click the Weekly Scan -> Under the Scan Details tab, Scanning -> Ensure "Well-known virus and security risk locations" is selected. Criteria: If "Well-known virus and security risk locations" is not selected, this is a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{scan ID} 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{scan ID} Criteria: If the value of ScanERASERDefs is not 1, this is a finding.

Fix: F-48294r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans -> Double-click the Weekly Scan -> Under the Scan Details tab, Scanning -> Select "Well-known virus and security risk locations".

b
The Symantec Endpoint Protection client weekly scheduled scan actions for handling malware upon detection must be explicitly configured at the top, Malware, level and not be overridden by sub-levels.
SI-3 - Medium - CCI-001243 - V-42709 - SV-55437r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001243
Version
DTASEP055
Vuln IDs
  • V-42709
Rule IDs
  • SV-55437r1_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attack mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to delete the file first will prevent the infection from spreading.
Checks: C-48981r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans -> Double-click the Weekly Scan -> Select the Actions tab -> Under Actions -> Under Malware -> Select Virus -> Ensure "Override actions configured for Malware" is NOT selected. Criteria: If "Override actions configured for Malware" is selected, this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}\Malware Criteria: If the value of FirstAction is not 5, this is a finding. If the value of FirstAction is 5, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}\Malware\TCID-0 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}\Malware Criteria: If the value of FirstAction is not 5, this is a finding. If the value of FirstAction is 5, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}\Malware\TCID-0 is 0 or the value is not there, this is not a finding.

Fix: F-48295r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans -> Double-click the Weekly Scan -> Select the Actions tab -> Under Actions -> Under Malware -> Select Virus -> Ensure "Override actions configured for Malware" is NOT selected.

b
The Symantec Endpoint Protection client weekly scheduled scan actions for when malware has been detected must be configured to Clean Risk as first action.
SI-3 - Medium - CCI-001243 - V-42710 - SV-55438r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001243
Version
DTASEP056
Vuln IDs
  • V-42710
Rule IDs
  • SV-55438r1_rule
Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option so as to ensure the malware is not introduced onto the system or network.
Checks: C-48982r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans -> Double-click the Weekly Scan -> Select the Actions tab -> Under Actions -> Select Malware -> Observe the First action and the If first action fails boxes -> Ensure First action is set to "Clean Risk". Criteria: If First action is not set to "Clean Risk", this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}\Malware 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}\Malware Criteria: If the value of "FirstAction" is not 5, this is a finding.

Fix: F-48296r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans -> Double-click on the Weekly Scan -> Select the Actions tab -> Under Actions -> Select Malware -> Observe the First action and the If first action fails boxes -> Set First action to "Clean Risk".

b
The Symantec Endpoint Protection client weekly scheduled scan actions for when malware has been detected must be configured to Delete Risk if first action fails.
SI-3 - Medium - CCI-001243 - V-42711 - SV-55439r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001243
Version
DTASEP057
Vuln IDs
  • V-42711
Rule IDs
  • SV-55439r1_rule
Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option so as to ensure the malware is not introduced onto the system or network.
Checks: C-48983r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans -> Double-click the Weekly Scan -> Select the Actions tab -> Under Actions -> Select Malware -> Observe the First action and the If first action fails boxes -> Ensure If first action fails is set to "Delete Risk". Criteria: If first action fails is not set to "Delete Risk", this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}\Malware 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}\Malware Criteria: If the value of "SecondAction" is not 3, this is a finding.

Fix: F-48297r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans -> Double-click on the Weekly Scan -> Select the Actions tab -> Under Actions -> Select Malware -> Observe the First action and the If first action fails boxes -> Set If first action fails to "Delete Risk".

b
The Symantec Endpoint Protection client weekly scheduled scan actions for handling security risks upon detection must be explicitly configured at the top, Security Risks, level and not be overridden by the Adware sub-level.
SI-3 - Medium - CCI-001243 - V-42712 - SV-55440r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001243
Version
DTASEP058
Vuln IDs
  • V-42712
Rule IDs
  • SV-55440r1_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attack mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. If files are backed up before they are repaired, this could possibly allow the infection to stay on the system.
Checks: C-48984r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans -> Double-click the Weekly Scan -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Adware-> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}\Expanded\TCID-10 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}\Expanded\TCID-10 is 0 or the value is not there, this is not a finding.

Fix: F-48298r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans -> Double-click the Weekly Scan -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Adware-> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client weekly scheduled scan actions for handling security risks upon detection must be explicitly configured at the top, Security Risks, level and not be overridden by the Dialer sub-level.
SI-3 - Medium - CCI-001243 - V-42713 - SV-55441r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001243
Version
DTASEP059
Vuln IDs
  • V-42713
Rule IDs
  • SV-55441r1_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attack mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. If files are backed up before they are repaired, this could possibly allow the infection to stay on the system.
Checks: C-48985r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans -> Double-click the Weekly Scan -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Dialer-> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}\Expanded\TCID-8 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}\Expanded\TCID-8 is 0 or the value is not there, this is not a finding.

Fix: F-48299r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans -> Double-click the Weekly Scan -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Dialer-> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client weekly scheduled scan actions for handling security risks upon detection must be explicitly configured at the top, Security Risks, level and not be overridden by the Hack Tool sub-level.
SI-3 - Medium - CCI-001243 - V-42714 - SV-55442r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001243
Version
DTASEP060
Vuln IDs
  • V-42714
Rule IDs
  • SV-55442r1_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attack mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. If files are backed up before they are repaired, this could possibly allow the infection to stay on the system.
Checks: C-48986r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans -> Double-click the Weekly Scan -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Hack Tool -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}\Expanded\TCID-5 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}\Expanded\TCID-5 is 0 or the value is not there, this is not a finding.

Fix: F-48300r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans -> Double-click the Weekly Scan -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Hack Tool -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client weekly scheduled scan actions for handling security risks upon detection must be explicitly configured at the top, Security Risks, level and not be overridden by the Joke Program sub-level.
SI-3 - Medium - CCI-001243 - V-42715 - SV-55443r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001243
Version
DTASEP061
Vuln IDs
  • V-42715
Rule IDs
  • SV-55443r1_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attack mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. If files are backed up before they are repaired, this could possibly allow the infection to stay on the system.
Checks: C-48987r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans -> Double-click the Weekly Scan -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Joke Program -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}\Expanded\TCID-11 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}\Expanded\TCID-11 is 0 or the value is not there, this is not a finding.

Fix: F-48301r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans -> Double-click the Weekly Scan -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Joke Program -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client weekly scheduled scan actions for handling security risks upon detection must be explicitly configured at the top, Security Risks, level and not be overridden by the Misleading Application sub-level.
SI-3 - Medium - CCI-001243 - V-42716 - SV-55444r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001243
Version
DTASEP062
Vuln IDs
  • V-42716
Rule IDs
  • SV-55444r1_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attack mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. If files are backed up before they are repaired, this could possibly allow the infection to stay on the system.
Checks: C-48988r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans -> Double-click the Weekly Scan -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Misleading Application -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}\Expanded\TCID-14 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}\Expanded\TCID-14 is 0 or the value is not there, this is not a finding.

Fix: F-48302r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans -> Double-click the Weekly Scan -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Misleading Application -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client weekly scheduled scan actions for handling security risks upon detection must be explicitly configured at the top, Security Risks, level and not be overridden by the Parental Control sub-level.
SI-3 - Medium - CCI-001243 - V-42717 - SV-55445r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001243
Version
DTASEP063
Vuln IDs
  • V-42717
Rule IDs
  • SV-55445r1_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attack mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. If files are backed up before they are repaired, this could possibly allow the infection to stay on the system.
Checks: C-48989r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans -> Double-click the Weekly Scan -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Parental Control -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}\Expanded\TCID-17 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}\Expanded\TCID-17 is 0 or the value is not there, this is not a finding.

Fix: F-48303r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans -> Double-click the Weekly Scan -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Parental Control -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client weekly scheduled scan actions for handling security risks upon detection must be explicitly configured at the top, Security Risks, level and not be overridden by the Remote Access sub-level.
SI-3 - Medium - CCI-001243 - V-42718 - SV-55446r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001243
Version
DTASEP064
Vuln IDs
  • V-42718
Rule IDs
  • SV-55446r1_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attack mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. If files are backed up before they are repaired, this could possibly allow the infection to stay on the system.
Checks: C-48990r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans -> Double-click the Weekly Scan -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Remote Access -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}\Expanded\TCID-9 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}\Expanded\TCID-9 is 0 or the value is not there, this is not a finding.

Fix: F-48304r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans -> Double-click the Weekly Scan -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Remote Access -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client weekly scheduled scan actions for handling security risks upon detection must be explicitly configured at the top, Security Risks, level and not be overridden by the Security Assessment Tool sub-level.
SI-3 - Medium - CCI-001243 - V-42719 - SV-55447r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001243
Version
DTASEP065
Vuln IDs
  • V-42719
Rule IDs
  • SV-55447r1_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attack mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. If files are backed up before they are repaired, this could possibly allow the infection to stay on the system.
Checks: C-48991r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans -> Double-click the Weekly Scan -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Security Assessment Tool -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}\Expanded\TCID-13 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}\Expanded\TCID-13 is 0 or the value is not there, this is not a finding.

Fix: F-48305r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans -> Double-click the Weekly Scan -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Security Assessment Tool -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client weekly scheduled scan actions for handling security risks upon detection must be explicitly configured at the top, Security Risks, level and not be overridden by the Security Risk sub-level.
SI-3 - Medium - CCI-001243 - V-42720 - SV-55448r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001243
Version
DTASEP066
Vuln IDs
  • V-42720
Rule IDs
  • SV-55448r1_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attack mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. If files are backed up before they are repaired, this could possibly allow the infection to stay on the system.
Checks: C-48992r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans -> Double-click the Weekly Scan -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Security Risk -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}\Expanded\TCID-4 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}\Expanded\TCID-4 is 0 or the value is not there, this is not a finding.

Fix: F-48306r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans -> Double-click the Weekly Scan -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Security Risk -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client weekly scheduled scan actions for handling security risks upon detection must be explicitly configured at the top, Security Risks, level and not be overridden by the Spyware sub-level.
SI-3 - Medium - CCI-001243 - V-42721 - SV-55449r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001243
Version
DTASEP067
Vuln IDs
  • V-42721
Rule IDs
  • SV-55449r1_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attack mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. If files are backed up before they are repaired, this could possibly allow the infection to stay on the system.
Checks: C-48993r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans -> Double-click the Weekly Scan -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Spyware -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}\Expanded\TCID-6 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}\Expanded\TCID-6 is 0 or the value is not there, this is not a finding.

Fix: F-48307r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans -> Double-click the Weekly Scan -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Spyware -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client weekly scheduled scan actions for handling security risks upon detection must be explicitly configured at the top, Security Risks, level and not be overridden by the Trackware sub-level.
SI-3 - Medium - CCI-001243 - V-42722 - SV-55450r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001243
Version
DTASEP068
Vuln IDs
  • V-42722
Rule IDs
  • SV-55450r1_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attack mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. If files are backed up before they are repaired, this could possibly allow the infection to stay on the system.
Checks: C-48994r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans -> Double-click the Weekly Scan -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Trackware-> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}\Expanded\TCID-7 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID}\Expanded\TCID-7 is 0 or the value is not there, this is not a finding.

Fix: F-48308r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans -> Double-click the Weekly Scan -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Trackware-> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client weekly scheduled scan actions for when a security risk has been detected must be configured to Delete Risk as first action.
SI-3 - Medium - CCI-001243 - V-42723 - SV-55451r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001243
Version
DTASEP069
Vuln IDs
  • V-42723
Rule IDs
  • SV-55451r1_rule
Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option so as to ensure the malware is not introduced onto the system or network.
Checks: C-48995r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans -> Double-click the Weekly Scan -> Select the Actions tab -> Under Actions -> Select Security Risks -> Observe the First action and the If first action fails boxes -> Ensure First action is set to "Delete Risk". Criteria: If First action is not set to "Delete Risk", this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks{Scan ID}\Expanded 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks{Scan ID}\Expanded Criteria: If the value of "FirstAction" is not 3, this is a finding.

Fix: F-48309r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans -> Double-click the Weekly Scan -> Select the Actions tab -> Under Actions -> Select Security Risks -> Observe the First action and the If first action fails boxes -> Set First action to "Delete Risk".

b
The Symantec Endpoint Protection client weekly scheduled scan actions for when a security risk has been detected must be configured to Quarantine Risk if first action fails.
SI-3 - Medium - CCI-001243 - V-42724 - SV-55452r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001243
Version
DTASEP070
Vuln IDs
  • V-42724
Rule IDs
  • SV-55452r1_rule
Malware may have infected a file that is necessary to the user. By configuring the antivirus software to first attempt cleaning the infected file, availability to the file is not sacrificed. If a cleaning attempt is not successful, however, deleting the file is the only safe option so as to ensure the malware is not introduced onto the system or network.
Checks: C-48996r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans -> Double-click the Weekly Scan -> Select the Actions tab -> Under Actions -> Select Security Risks -> Observe the First action and the If first action fails boxes -> Ensure If first action fails is set to "Quarantine Risk". Criteria: If first action fails is not set to "Quarantine Risk" , this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks{Scan ID}\Expanded 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks{Scan ID}\Expanded Criteria: If the value of "SecondAction" is not 1, this is a finding.

Fix: F-48310r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans -> Double-click the Weekly Scan -> Select the Actions tab -> Under Actions -> Select Security Risks -> Observe the First action and the If first action fails boxes -> Set If first action fails to "Quarantine Risk".

b
The Symantec Endpoint Protection client Outlook Auto-Protect client must be enabled.
SI-3 - Medium - CCI-001668 - V-42725 - SV-55453r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001668
Version
DTASEP071
Vuln IDs
  • V-42725
Rule IDs
  • SV-55453r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-48997r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Microsoft Outlook Auto-Protect -> Select the Scan Details tab -> Ensure "Enable Microsoft Outlook Auto-Protect" is selected. Criteria: If "Enable Microsoft Outlook Auto-Protect" is not selected, this is a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan Criteria: If the value of OnOff is not 1, this is a finding.

Fix: F-48311r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Microsoft Outlook Auto-Protect -> Select the Scan Details tab -> Select "Enable Microsoft Outlook Auto-Protect".

b
The Symantec Endpoint Protection client weekly scheduled scan backup option must be disabled to prevent backing up infected files before attempting to repair them.
SI-3 - Medium - CCI-001241 - V-42726 - SV-55454r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001241
Version
DTASEP051
Vuln IDs
  • V-42726
Rule IDs
  • SV-55454r1_rule
Potentially Unwanted Programs (PUPs) include Spyware, Adware, Remote Administration Tools, Dialers, Password Crackers, Jokes, and Key Loggers. While PUPs do not typically have any infection capability on their own, they rely on malware or other attack mechanisms to be installed onto target hosts, after which they will collect and transfer data from the host to an external host and/or will be used as attach mechanisms. Configuring the antivirus software to attempt to clean the file first will allow for the possibility of a false positive. If files are backed up before they are repaired, this could possibly allow the infection to stay on the system.
Checks: C-48998r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans -> Double-click the Weekly Scan -> Under the Actions tab, Remediation -> Ensure "Back up files before attempting to repair them" is NOT selected. Criteria: If "Back up files before attempting to repair them" is selected, this is a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID} 64 bit: HKLM\SOFTWARE\Wow632Node\Symantec\Symantec Endpoint Protection\AV\Scheduler\{SID}\Custom Tasks\{Scan ID} Criteria: If the value of BackupToQuarantine is not 0, this is a finding.

Fix: F-48312r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Scheduled Scans -> Select Administrator-Defined Scans -> Double-click the Weekly Scan -> Under the Actions tab, Remediation -> Ensure "Back up files before attempting to repair them" is NOT selected.

b
The Symantec Endpoint Protection client Outlook Auto-Protect client must be configured to scan all file types.
SI-3 - Medium - CCI-001668 - V-42727 - SV-55455r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001668
Version
DTASEP072
Vuln IDs
  • V-42727
Rule IDs
  • SV-55455r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-48999r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Microsoft Outlook Auto-Protect -> Select the Scan Details tab -> Under Scanning, File types -> Ensure "Scan all files" is selected. Criteria: If "Scan all files" is not selected, this is a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan Criteria: If the value of FileType is not 0, this is a finding.

Fix: F-48313r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Microsoft Outlook Auto-Protect -> Select the Scan Details tab -> Under Scanning, File types -> Select "Scan all files".

b
The Symantec Endpoint Protection client Outlook Auto-Protect must be configured to scan inside zipped files.
SI-3 - Medium - CCI-001668 - V-42728 - SV-55456r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001668
Version
DTASEP073
Vuln IDs
  • V-42728
Rule IDs
  • SV-55456r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49000r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Microsoft Outlook Auto-Protect -> Select the Scan Details tab -> Under Scanning -> Ensure "Scan files inside compressed files" is selected. Criteria: If "Scan files inside compressed files" is not selected, this is a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan Criteria: If the value of ZipFile is not 1, this is a finding.

Fix: F-48314r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Microsoft Outlook Auto-Protect -> Select the Scan Details tab -> Under Scanning -> Select "Scan files inside compressed files".

b
The Symantec Endpoint Protection client Outlook Auto-Protect must be configured to insert a warning into email messages when a message part has been deleted, cleaned, or quarantined.
SI-3 - Medium - CCI-001668 - V-42729 - SV-55457r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001668
Version
DTASEP074
Vuln IDs
  • V-42729
Rule IDs
  • SV-55457r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49001r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Microsoft Outlook Auto-Protect -> Select the Notifications tab -> Under Email Notifications -> Ensure "Insert a warning into the email message" is selected. Criteria: If "Insert a warning into the email message" is not selected, this is a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan Criteria: If the value of InsertWarning is not 1, this is a finding.

Fix: F-48315r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Microsoft Outlook Auto-Protect -> Select the Notifications tab -> Under Email Notifications -> Select "Insert a warning into the email message".

b
The Symantec Endpoint Protection client Outlook Auto-Protect must be configured to not send a notification to the sender of an email in which a threat was detected.
SI-3 - Medium - CCI-001668 - V-42730 - SV-55458r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001668
Version
DTASEP075
Vuln IDs
  • V-42730
Rule IDs
  • SV-55458r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49002r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Microsoft Outlook Auto-Protect -> Select the Notifications tab -> Under Email Notifications -> Ensure "Send email to the sender" is NOT selected. Criteria: If "Send email to the sender" is selected, this is a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan Criteria: If the value of NotifySender is not 0, this is a finding.

Fix: F-48316r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Microsoft Outlook Auto-Protect -> Select the Notifications tab -> Under Email Notifications -> Ensure "Send email to the sender" is NOT selected.

b
The Symantec Endpoint Protection client Outlook Auto-Protect must be configured to send a notification email to the IAO, IAM, and/or ePO administrator when a threatened email message is detected.
SI-3 - Medium - CCI-001668 - V-42731 - SV-55459r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001668
Version
DTASEP076
Vuln IDs
  • V-42731
Rule IDs
  • SV-55459r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49003r2_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Microsoft Outlook Auto-Protect -> Select the Notifications tab -> Under Email Notifications -> Ensure "Send email to others" is selected -> select Others -> Ensure the IAO, IAM, and/or ePO administrator are listed. Criteria: If "Send email to others" is not selected, this is a finding. If "Send email to others" is selected and the IAO, IAM, and/ or the ePO administrator email addresses are not listed, this is a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan Criteria: If the value of NotifySelected is not 1, this is a finding.

Fix: F-48317r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Microsoft Outlook Auto-Protect -> Select the Notifications tab -> Under Email Notifications -> Select "Send email to others" -> select Others -> Add the IAO, IAM, and/or ePO administrator email addresses.

b
The Symantec Endpoint Protection client Outlook Auto-Protect actions must be explicitly configured at the top, Malware, level and not be overridden by sub-levels.
SI-3 - Medium - CCI-001243 - V-42732 - SV-55460r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001243
Version
DTASEP077
Vuln IDs
  • V-42732
Rule IDs
  • SV-55460r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49004r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Microsoft Outlook Auto-Protect -> Select the Actions tab -> Under Actions -> Under Malware -> Select Virus -> Ensure "Override actions configured for Malware" is NOT selected. Criteria: If "Override actions configured for Malware" is selected, this is a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Malware Criteria: If the value of FirstAction is not 5, this is a finding. If the value of FirstAction is 5, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\TCID-0 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Malware Criteria: If the value of FirstAction is not 5, this is a finding. If the value of FirstAction is 5, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Malware\TCID-0 is 0 or the value is not there, this is not a finding.

Fix: F-48318r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Microsoft Outlook Auto-Protect -> Select the Actions tab -> Under Actions -> Under Malware -> Select Virus -> Ensure "Override actions configured for Malware" is NOT selected.

b
The Symantec Endpoint Protection client Outlook Auto-Protect actions for when Malware has been detected must be configured to Clean Risk as first action.
SI-3 - Medium - CCI-001243 - V-42733 - SV-55461r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001243
Version
DTASEP078
Vuln IDs
  • V-42733
Rule IDs
  • SV-55461r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49005r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Microsoft Outlook Auto-Protect -> Select the Actions tab -> Under Actions -> Select Malware -> Observe the First action and the If first action fails boxes -> Ensure First action is set to "Clean Risk". Criteria: If First action is not set to "Clean Risk", this is a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Malware 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Malware Criteria: If the value of "FirstAction" is 5, this is not a finding.

Fix: F-48319r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Microsoft Outlook Auto-Protect -> Select the Actions tab -> Under Actions -> Select Malware -> Observe the First action and the If first action fails boxes -> Set First action to "Clean Risk".

b
The Symantec Endpoint Protection client Outlook Auto-Protect actions for when Malware has been detected must be configured to Delete Risk if first action fails.
SI-3 - Medium - CCI-001243 - V-42734 - SV-55462r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001243
Version
DTASEP079
Vuln IDs
  • V-42734
Rule IDs
  • SV-55462r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49006r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Microsoft Outlook Auto-Protect -> Select the Actions tab -> Under Actions -> Select Malware -> Observe the First action and the If first action fails boxes -> Ensure If first action fails is set to "Delete Risk". Criteria: If first action fails is not set to "Delete Risk", this is a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Malware 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Malware Criteria: If the value of "SecondAction" is 3, this is not a finding.

Fix: F-48320r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Microsoft Outlook Auto-Protect -> Select the Actions tab -> Under Actions -> Select Malware -> Observe the First action and the If first action fails boxes -> Set If first action fails to "Delete Risk".

b
The Symantec Endpoint Protection client Outlook Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Adware sub-level.
SI-3 - Medium - CCI-001243 - V-42735 - SV-55463r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001243
Version
DTASEP080
Vuln IDs
  • V-42735
Rule IDs
  • SV-55463r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49007r2_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Microsoft Outlook Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Adware -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded\TCID-10 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded\TCID-10 is 0 or the value is not there, this is not a finding.

Fix: F-48321r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Microsoft Outlook Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Adware -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Outlook Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Dialer sub-level.
SI-3 - Medium - CCI-001243 - V-42736 - SV-55464r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001243
Version
DTASEP081
Vuln IDs
  • V-42736
Rule IDs
  • SV-55464r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49008r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Microsoft Outlook Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Dialer -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded\TCID-8 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded\TCID-8 is 0 or the value is not there, this is not a finding.

Fix: F-48322r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Microsoft Outlook Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Dialer -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Outlook Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Hack Tool sub-level.
SI-3 - Medium - CCI-001243 - V-42742 - SV-55470r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001243
Version
DTASEP082
Vuln IDs
  • V-42742
Rule IDs
  • SV-55470r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49014r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Microsoft Outlook Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Hack Tool -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded\TCID-5 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded\TCID-5 is 0 or the value is not there, this is not a finding.

Fix: F-48328r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Microsoft Outlook Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Hack Tool -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Outlook Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Joke Program sub-level.
SI-3 - Medium - CCI-001243 - V-42743 - SV-55471r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001243
Version
DTASEP083
Vuln IDs
  • V-42743
Rule IDs
  • SV-55471r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49015r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Microsoft Outlook Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Joke Program -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded\TCID-11 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded\TCID-11 is 0 or the value is not there, this is not a finding.

Fix: F-48329r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Microsoft Outlook Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Joke Program -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Outlook Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Misleading Application sub-level.
SI-3 - Medium - CCI-001243 - V-42744 - SV-55472r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001243
Version
DTASEP084
Vuln IDs
  • V-42744
Rule IDs
  • SV-55472r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49016r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Microsoft Outlook Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Misleading Application -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded\TCID-14 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded\TCID-14 is 0 or the value is not there, this is not a finding.

Fix: F-48330r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Microsoft Outlook Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Misleading Application -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Outlook Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Parental Control sub-level.
SI-3 - Medium - CCI-001243 - V-42745 - SV-55473r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001243
Version
DTASEP085
Vuln IDs
  • V-42745
Rule IDs
  • SV-55473r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49017r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Microsoft Outlook Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Parental Control -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded\TCID-17 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded\TCID-17 is 0 or the value is not there, this is not a finding.

Fix: F-48331r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Microsoft Outlook Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Parental Control -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Outlook Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Remote Access sub-level.
SI-3 - Medium - CCI-001243 - V-42746 - SV-55474r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001243
Version
DTASEP086
Vuln IDs
  • V-42746
Rule IDs
  • SV-55474r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49018r2_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Microsoft Outlook Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Remote Access -> Select Security Assessment Tool -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan}\Expanded\TCID-9 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded\TCID-9 is 0 or the value is not there, this is not a finding.

Fix: F-48332r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Microsoft Outlook Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Remote Access -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Outlook Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Security Assessment Tool sub-level.
SI-3 - Medium - CCI-001243 - V-42747 - SV-55475r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001243
Version
DTASEP087
Vuln IDs
  • V-42747
Rule IDs
  • SV-55475r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49019r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Microsoft Outlook Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Security Assessment Tool -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded\TCID-13 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded\TCID-13 is 0 or the value is not there, this is not a finding.

Fix: F-48333r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Microsoft Outlook Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Security Assessment Tool -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Outlook Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Security Risk sub-level.
SI-3 - Medium - CCI-001243 - V-42748 - SV-55476r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001243
Version
DTASEP088
Vuln IDs
  • V-42748
Rule IDs
  • SV-55476r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49020r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Microsoft Outlook Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Security Risk -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded\TCID-4 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded\TCID-4 is 0 or the value is not there, this is not a finding.

Fix: F-48334r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Microsoft Outlook Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Security Risk -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Outlook Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Spyware sub-level.
SI-3 - Medium - CCI-001243 - V-42749 - SV-55477r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001243
Version
DTASEP089
Vuln IDs
  • V-42749
Rule IDs
  • SV-55477r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49021r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Microsoft Outlook Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Spyware -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded\TCID-6 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded\TCID-6 is 0 or the value is not there, this is not a finding.

Fix: F-48335r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Microsoft Outlook Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Spyware -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Outlook Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Trackware sub-level.
SI-3 - Medium - CCI-001243 - V-42750 - SV-55478r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001243
Version
DTASEP090
Vuln IDs
  • V-42750
Rule IDs
  • SV-55478r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49022r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Microsoft Outlook Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Trackware -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded\TCID-7 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded\TCID-7 is 0 or the value is not there, this is not a finding.

Fix: F-48336r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Microsoft Outlook Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Trackware -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Outlook Auto-Protect actions for when a security risk has been detected must be configured to Delete Risk as first action.
SI-3 - Medium - CCI-001243 - V-42751 - SV-55479r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001243
Version
DTASEP091
Vuln IDs
  • V-42751
Rule IDs
  • SV-55479r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49023r2_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Microsoft Outlook Auto-Protect -> Select the Actions tab -> Under Actions -> Select Security Risks -> Observe the First action and the If first action fails boxes -> Ensure First action is set to "Delete Risk". Criteria: If First action is not set to "Delete Risk", this is a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded Criteria: If the value of "FirstAction" is not 3, this is a finding.

Fix: F-48337r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Microsoft Outlook Auto-Protect -> Select the Actions tab -> Under Actions -> Select Security Risks -> Observe the First action and the If first action fails boxes -> Set First action to "Delete Risk".

b
The Symantec Endpoint Protection client Outlook Auto-Protect actions for when a Security Risk has been detected must be configured to Quarantine Risk if first action fails.
SI-3 - Medium - CCI-001243 - V-42752 - SV-55480r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001243
Version
DTASEP092
Vuln IDs
  • V-42752
Rule IDs
  • SV-55480r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49024r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Microsoft Outlook Auto-Protect -> Select the Actions tab -> Under Actions -> Select Security Risks -> Observe the First action and the If first action fails boxes -> Ensure If first action fails is set to "Quarantine Risk". Criteria: If first action fails is not set to "Quarantine Risk", this is a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\MicrosoftExchangeClient\RealTimeScan\Expanded Criteria: If the value of "SecondAction" is not 1, this is a finding.

Fix: F-48338r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Microsoft Outlook Auto-Protect -> Select the Actions tab -> Under Actions -> Select Security Risks -> Observe the First action and the If first action fails boxes -> Set If first action fails to "Quarantine Risk".

b
The Symantec Endpoint Protection Internet Email Auto-Protect must be enabled.
SI-3 - Medium - CCI-001668 - V-42753 - SV-55481r2_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001668
Version
DTASEP093
Vuln IDs
  • V-42753
Rule IDs
  • SV-55481r2_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49025r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Internet Email Auto-Protect -> Select the Scan Details tab -> Ensure "Enable Internet Email Auto-Protect" is selected. Criteria: If "Enable Internet Email Auto-Protect" is not selected, this is a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan Criteria: If the value of OnOff is not 1, this is a finding.

Fix: F-48339r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Internet Email Auto-Protect -> Select the Scan Details tab -> Select "Enable Internet Email Auto-Protect".

b
The Symantec Endpoint Protection Internet email Auto-Protect client must be configured to scan all file types.
SI-3 - Medium - CCI-001668 - V-42754 - SV-55482r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001668
Version
DTASEP094
Vuln IDs
  • V-42754
Rule IDs
  • SV-55482r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49026r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Internet Email Auto-Protect -> Select the Scan Details tab -> Under Scanning, File types -> Ensure "Scan all files" is selected. Criteria: If "Scan all files" is not selected, this is a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan Criteria: If the value of FileType is not 0, this is a finding.

Fix: F-48340r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Internet Email Auto-Protect -> Select the Scan Details tab -> Under Scanning, File types -> Select "Scan all files".

b
The Symantec Endpoint Protection client Internet Email Auto-Protect must be configured to scan inside zipped files.
SI-3 - Medium - CCI-001668 - V-42755 - SV-55483r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001668
Version
DTASEP095
Vuln IDs
  • V-42755
Rule IDs
  • SV-55483r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49027r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Internet Email Auto-Protect -> Select the Scan Details tab -> Under Scanning -> Ensure "Scan files inside compressed files" is selected. Criteria: If "Scan files inside compressed files" is not selected, this is a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan Criteria: If the value of ZipFile is not 1, this is a finding.

Fix: F-48341r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Internet Email Auto-Protect -> Select the Scan Details tab -> Under Scanning -> Select "Scan files inside compressed files".

b
The Symantec Endpoint Protection client Internet Email Auto-Protect for notification must be configured to insert a warning into email messages when a message part has been deleted, cleaned, or quarantined.
SI-3 - Medium - CCI-001668 - V-42756 - SV-55484r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001668
Version
DTASEP096
Vuln IDs
  • V-42756
Rule IDs
  • SV-55484r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49028r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Internet Email Auto-Protect -> Select the Notifications tab -> Under Email Notifications -> Ensure "Insert a warning into the email message" is selected. Criteria: If "Insert a warning into the email message" is not selected, this is a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan Criteria: If the value of InsertWarning is not 1, this is a finding.

Fix: F-48342r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Internet Email Auto-Protect -> Select the Notifications tab -> Under Email Notifications -> Select "Insert a warning into the email message".

b
The Symantec Endpoint Protection client Internet Email Auto-Protect must be configured to not send a notification to the sender of an email in which a threat was detected.
SI-3 - Medium - CCI-001668 - V-42757 - SV-55485r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001668
Version
DTASEP097
Vuln IDs
  • V-42757
Rule IDs
  • SV-55485r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49029r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Internet Email Auto-Protect -> Select the Notifications tab -> Under Email Notifications -> Ensure "Send email to the sender" is NOT selected. Criteria: If "Send email to the sender" is selected, this is a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan Criteria: If the value of NotifySender is not 0, this is a finding.

Fix: F-48343r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Internet Email Auto-Protect -> Select the Notifications tab -> Under Email Notifications -> Ensure "Send email to the sender" is NOT selected.

b
The Symantec Endpoint Protection client Internet Email Auto-Protect must be configured to send a notification email to the IAO, IAM, and/or ePO administrator when a threatened email message is detected.
SI-3 - Medium - CCI-001668 - V-42758 - SV-55486r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001668
Version
DTASEP098
Vuln IDs
  • V-42758
Rule IDs
  • SV-55486r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49030r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Internet Email Auto-Protect -> Select the Notifications tab -> Under Email Notifications -> Ensure "Send email to others" is selected -> Select Others -> Ensure the IAO, IAM, and/or ePO administrator are listed. Criteria: If "Send email to others" is not selected, this is a finding. If "Send email to others" is selected and the IAO, IAM, and/ or the ePO administrator email addresses are not listed, this is a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan Criteria: If the value of NotifySelected is not 1, this is a finding.

Fix: F-48344r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Internet Email Auto-Protect -> Select the Notifications tab -> Under Email Notifications -> Select "Send email to others" -> Select Others -> Add the IAO, IAM, and/or ePO administrator email addresses.

b
The Symantec Endpoint Protection client Internet Email Auto-Protect actions must be explicitly configured at the top, Malware, level and not be overridden by sub-levels.
SI-3 - Medium - CCI-001668 - V-42759 - SV-55487r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001668
Version
DTASEP099
Vuln IDs
  • V-42759
Rule IDs
  • SV-55487r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49031r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Internet Email Auto-Protect -> Select the Actions tab -> Under Actions -> Under Malware -> Select Virus -> Ensure "Override actions configured for Malware" is NOT selected. Criteria: If "Override actions configured for Malware" is selected, this is a finding. On the client machine, use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Malware Criteria: If the value of FirstAction is not 5, this is a finding. If the value of FirstAction is 5, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\TCID-0 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Malware Criteria: If the value of FirstAction is not 5, this is a finding. If the value of FirstAction is 5, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Malware\TCID-0 is 0 or the value is not there, this is not a finding.

Fix: F-48345r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Internet Email Auto-Protect -> Select the Actions tab -> Under Actions -> Under Malware -> Select Virus -> Ensure "Override actions configured for Malware" is NOT selected.

b
The Symantec Endpoint Protection client Internet Email Auto-Protect actions for when malware has been detected must be configured to Clean Risk as first action.
SI-3 - Medium - CCI-001668 - V-42760 - SV-55488r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001668
Version
DTASEP100
Vuln IDs
  • V-42760
Rule IDs
  • SV-55488r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49032r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Internet Email Auto-Protect -> Select the Actions tab -> Under Actions -> Select Malware -> Observe the First action and the If first action fails boxes -> Ensure First action is set to "Clean Risk". Criteria: If First action is not set to "Clean Risk", this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: 32 Bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Malware 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Malware Criteria: If the value of "FirstAction" is not 5, this is a finding.

Fix: F-48346r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Internet Email Auto-Protect -> Select the Actions tab -> Under Actions -> Select Malware -> Observe the First action and the If first action fails boxes -> Set First action to "Clean Risk".

b
The Symantec Endpoint Protection client Internet Email Auto-Protect actions for when malware has been detected must be configured to Delete Risk if first action fails.
SI-3 - Medium - CCI-001668 - V-42761 - SV-55489r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001668
Version
DTASEP101
Vuln IDs
  • V-42761
Rule IDs
  • SV-55489r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49033r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Internet Email Auto-Protect -> Select the Actions tab -> Under Actions -> Select Malware -> Observe the First action and the If first action fails boxes -> Ensure If first action fails is set to "Delete Risk". Criteria: If first action fails is not set to "Delete Risk", this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: 32 Bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Malware 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Malware Criteria: If the value of "SecondAction" is not 3, this is a finding.

Fix: F-48347r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Internet Email Auto-Protect -> Select the Actions tab -> Under Actions -> Select Malware -> Observe the First action and the If first action fails boxes -> Set If first action fails to "Delete Risk".

b
The Symantec Endpoint Protection client Internet Email Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Adware sub-level.
SI-3 - Medium - CCI-001668 - V-42762 - SV-55490r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001668
Version
DTASEP102
Vuln IDs
  • V-42762
Rule IDs
  • SV-55490r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49034r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Internet Email Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Adware -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded\TCID-10 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded\TCID-10 is 0 or the value is not there, this is not a finding.

Fix: F-48348r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Internet Email Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Adware -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Internet Email Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Dialer sub-level.
SI-3 - Medium - CCI-001668 - V-42763 - SV-55491r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001668
Version
DTASEP103
Vuln IDs
  • V-42763
Rule IDs
  • SV-55491r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49035r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Internet Email Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Dialer -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded\TCID-8 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded\TCID-8 is 0 or the value is not there, this is not a finding.

Fix: F-48349r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Internet Email Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Dialer -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Internet Email Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Hack Tool sub-level.
SI-3 - Medium - CCI-001668 - V-42764 - SV-55492r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001668
Version
DTASEP104
Vuln IDs
  • V-42764
Rule IDs
  • SV-55492r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49036r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Internet Email Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Hack Tool -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded\TCID-5 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded\TCID-5 is 0 or the value is not there, this is not a finding.

Fix: F-48350r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Internet Email Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Hack Tool -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Internet Email Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Joke Program sub-level.
SI-3 - Medium - CCI-001668 - V-42765 - SV-55493r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001668
Version
DTASEP105
Vuln IDs
  • V-42765
Rule IDs
  • SV-55493r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49037r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Internet Email Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Joke Program -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded\TCID-11 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded\TCID-11 is 0 or the value is not there, this is not a finding.

Fix: F-48351r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Internet Email Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Joke Program -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Internet Email Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Misleading Application sub-level.
SI-3 - Medium - CCI-001668 - V-42766 - SV-55494r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001668
Version
DTASEP106
Vuln IDs
  • V-42766
Rule IDs
  • SV-55494r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49038r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Internet Email Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Misleading Application -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded\TCID-14 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded\TCID-14 is 0 or the value is not there, this is not a finding.

Fix: F-48352r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Internet Email Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Misleading Application -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Internet Email Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Parental Control sub-level.
SI-3 - Medium - CCI-001668 - V-42767 - SV-55495r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001668
Version
DTASEP107
Vuln IDs
  • V-42767
Rule IDs
  • SV-55495r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49039r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Internet Email Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Parental Control -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded\TCID-17 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded\TCID-17 is 0 or the value is not there, this is not a finding.

Fix: F-48353r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Internet Email Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Parental Control -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Internet Email Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Remote Access sub-level.
SI-3 - Medium - CCI-001668 - V-42768 - SV-55496r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001668
Version
DTASEP108
Vuln IDs
  • V-42768
Rule IDs
  • SV-55496r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49040r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Internet Email Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Remote Access -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan}\Expanded\TCID-9 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded\TCID-9 is 0 or the value is not there, this is not a finding.

Fix: F-48354r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Internet Email Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Remote Access -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Internet Email Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Security Assessment Tool sub-level.
SI-3 - Medium - CCI-001668 - V-42769 - SV-55497r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001668
Version
DTASEP109
Vuln IDs
  • V-42769
Rule IDs
  • SV-55497r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49041r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Internet Email Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Security Assessment Tool -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded\TCID-13 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded\TCID-13 is 0 or the value is not there, this is not a finding.

Fix: F-48355r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Internet Email Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Adware -> Select Dialer -> Select Hack Tool -> Select Joke Program -> Select Misleading Application -> Select Parental Control -> Select Remote Access -> Select Security Assessment Tool -> Select Security Risks -> Select Spyware -> Select Trackware -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Internet Email Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Security Risk sub-level.
SI-3 - Medium - CCI-001668 - V-42770 - SV-55498r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001668
Version
DTASEP110
Vuln IDs
  • V-42770
Rule IDs
  • SV-55498r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49042r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Internet Email Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Security Risk -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded\TCID-4 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded\TCID-4 is 0 or the value is not there, this is not a finding.

Fix: F-48356r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Internet Email Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Security Risk -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Internet Email Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Spyware sub-level.
SI-3 - Medium - CCI-001668 - V-42771 - SV-55499r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001668
Version
DTASEP111
Vuln IDs
  • V-42771
Rule IDs
  • SV-55499r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49043r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Internet Email Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Spyware -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded\TCID-6 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded\TCID-6 is 0 or the value is not there, this is not a finding.

Fix: F-48357r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Internet Email Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Spyware -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Internet Email Auto-Protect actions must be explicitly configured at the top, Security Risks, level and not be overridden by the Trackware sub-level.
SI-3 - Medium - CCI-001668 - V-42772 - SV-55500r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001668
Version
DTASEP112
Vuln IDs
  • V-42772
Rule IDs
  • SV-55500r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49044r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Internet Email Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Trackware -> Ensure "Override actions configured for Security Risks" is NOT selected. Criteria: If "Override actions configured for Security Risks" is selected, this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded\TCID-7 is 0 or the value is not there, this is not a finding. 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded Criteria: If the value of FirstAction is not 3, this is a finding. If the value of FirstAction is 3, then check A. A must be compliant for the check to be not a finding. A - If the value of OverrideDefaultActions within HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded\TCID-7 is 0 or the value is not there, this is not a finding.

Fix: F-48358r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Internet Email Auto-Protect -> Select the Actions tab -> Under Actions -> Under Security Risks -> Select Trackware -> Ensure "Override actions configured for Security Risks" is NOT selected.

b
The Symantec Endpoint Protection client Internet Email Auto-Protect actions for when a security risk has been detected must be configured to Delete Risk as first action.
SI-3 - Medium - CCI-001668 - V-42773 - SV-55501r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001668
Version
DTASEP113
Vuln IDs
  • V-42773
Rule IDs
  • SV-55501r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49045r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Internet Email Auto-Protect -> Select the Actions tab -> Under Actions -> Select Security Risks -> Observe the First action and the If first action fails boxes -> Ensure First action is set to "Delete Risk". Criteria: If First action is not set to "Delete Risk", this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded Criteria: If the value of "FirstAction" is not 3, this is a finding.

Fix: F-48359r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Internet Email Auto-Protect -> Select the Actions tab -> Under Actions -> Select Security Risks -> Observe the First action and the If first action fails boxes -> Set First action to "Delete Risk".

b
The Symantec Endpoint Protection client Internet Email Auto-Protect actions for when a security risk has been detected must be configured to Quarantine risk if first action fails.
SI-3 - Medium - CCI-001668 - V-42774 - SV-55502r1_rule
RMF Control
SI-3
Severity
M
CCI
CCI-001668
Version
DTASEP114
Vuln IDs
  • V-42774
Rule IDs
  • SV-55502r1_rule
Email has become one of the most frequently used methods of spreading malware, through embedded HTML code and attachments. User awareness and training, warning users to not open suspicious emails or email attachments and to not click hyperlinks, etc. from unknown or known senders, will not fully protect from email-borne malware. Mass mailing worms are similar to email-borne viruses but are self-contained rather than being designed to infect an existing file. Protecting from email-borne viruses and mass mailing worms by scanning email upon delivery mitigates the risk of infection via email.
Checks: C-49046r1_chk

Server check: From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Internet Email Auto-Protect -> Select the Actions tab -> Under Actions -> Select Security Risks -> Observe the First action and the If first action fails boxes -> Ensure If first action fails is set to "Quarantine Risk". Criteria: If first action fails is not set to "Quarantine Risk", this is a finding. On the client machine use the Windows Registry Editor to navigate to the following key: 32 bit: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded 64 bit: HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\InternetMail\RealTimeScan\Expanded Criteria: If the value of "SecondAction" is not 1, this is a finding.

Fix: F-48360r1_fix

From the Symantec Endpoint Protection Management Server, Symantec Endpoint Protection Management Console: Select Policies -> Double-click the applied policy -> Under Windows Settings, Email Scans -> Select Internet Email Auto-Protect -> Select the Actions tab -> Under Actions -> Select Security Risks -> Observe the First action and the If first action fails boxes -> Set If first action fails to "Quarantine Risk".