The McAfee Application Control Options Reputation setting must be configured to use the McAfee Global Threat Intelligence (McAfee GTI) option.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-213330	MCAC-TE-000104	SV-213330r506897_rule		Medium

Description
If a Threat Intelligence Exchange (TIE) server is being used in the organization, reputation for files and certificates is fetched from the TIE server. The reputation values control execution at endpoints and are displayed on the Application Control pages on the McAfee ePO console. If the GTI is being used, reputation for files and certificates is fetched from the McAfee GTI. For both methods, the administrator can review the reputation values and make informed decisions for inventory items in the enterprise.

Description

If a Threat Intelligence Exchange (TIE) server is being used in the organization, reputation for files and certificates is fetched from the TIE server. The reputation values control execution at endpoints and are displayed on the Application Control pages on the McAfee ePO console. If the GTI is being used, reputation for files and certificates is fetched from the McAfee GTI. For both methods, the administrator can review the reputation values and make informed decisions for inventory items in the enterprise.

STIG	Date
McAfee Application Control 8.x Security Technical Implementation Guide	2020-10-02

Details

Check Text ( C-14558r505025_chk )
NOTE: This requirement is Not Applicable on a classified SIPRNet or otherwise closed network. This requirement is only applicable to Windows platforms. For MAC and Linux platforms, this is Not Applicable. From the ePO server console System Tree, select the "Systems" tab. Select "This Group and All Subgroups". Select the asset(s) that need the organization-specific policy. Select "Actions". Select "Agent". Select "Modify Policies on a Single System". From the product pull-down list, select Solidcore 8.x: Application Control. From the "Policy" column, select the policy associated with the Category "Application Control Options (Windows)" that is specific for the asset being reviewed. Select the "Reputation" tab. Verify the "Use McAfee Global Threat Intelligence (McAfee GTI)" option is selected. Note: The "McAfee GTI" option must be selected, as a failover, even if an internal McAfee TIE server is configured. If the "McAfee GTI" option is not selected, this is a finding.

Check Text ( C-14558r505025_chk )

NOTE: This requirement is Not Applicable on a classified SIPRNet or otherwise closed network.

This requirement is only applicable to Windows platforms. For MAC and Linux platforms, this is Not Applicable.

From the ePO server console System Tree, select the "Systems" tab.

Select "This Group and All Subgroups".
Select the asset(s) that need the organization-specific policy.
Select "Actions".
Select "Agent".
Select "Modify Policies on a Single System".

From the product pull-down list, select Solidcore 8.x: Application Control.

From the "Policy" column, select the policy associated with the Category "Application Control Options (Windows)" that is specific for the asset being reviewed.

Select the "Reputation" tab.

Verify the "Use McAfee Global Threat Intelligence (McAfee GTI)" option is selected.

Note: The "McAfee GTI" option must be selected, as a failover, even if an internal McAfee TIE server is configured.

If the "McAfee GTI" option is not selected, this is a finding.

Fix Text (F-14556r505026_fix)
From the ePO server console System Tree, select the "Systems" tab. Select "This Group and All Subgroups". Select the asset. Select "Actions". Select "Agent". Select "Modify Policies on a Single System". From the product pull-down list, select Solidcore 8.x: Application Control. From the "Policy" column, select the policy associated with the Category "Application Control Options (Windows)" that is specific for the asset being reviewed. Select the "Reputation" tab. Place a check in the "Use McAfee Global Threat Intelligence (McAfee GTI)" option. Click "Save".

Fix Text (F-14556r505026_fix)

From the ePO server console System Tree, select the "Systems" tab.

Select "This Group and All Subgroups".
Select the asset.
Select "Actions".
Select "Agent".
Select "Modify Policies on a Single System".

From the product pull-down list, select Solidcore 8.x: Application Control.

From the "Policy" column, select the policy associated with the Category "Application Control Options (Windows)" that is specific for the asset being reviewed.

Select the "Reputation" tab.

Place a check in the "Use McAfee Global Threat Intelligence (McAfee GTI)" option.

Click "Save".