Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-42935 | AV-MOVE-CLT-002 | SV-55664r1_rule | Medium |
Description |
---|
Organizations should use centrally managed antivirus software that is controlled and monitored regularly by antivirus administrators, who are also typically responsible for acquiring, testing, approving, and delivering antivirus signature and software updates throughout the organization. Users should not be able to disable or delete antivirus software from their hosts, nor should they be able to alter critical settings. Antivirus administrators should perform continuous monitoring to confirm that hosts are using current antivirus software and that the software is configured properly. Implementing all of these recommendations should strongly support an organization in having a strong and consistent antivirus deployment across the organization. |
STIG | Date |
---|---|
McAfee MOVE 2.6/3.6.1 Multi-Platform Client STIG | 2016-04-05 |
Check Text ( C-49123r1_chk ) |
---|
On the system being reviewed, first confirm the system has a McAfee Agent deployed and running: Click Start, and type services.msc in the "Search programs and files" search bar. Press Review the services running on the system. Ensure the McAfee Framework Service is listed as a service and has a status of Started. If the system does not have the McAfee Agent deployed to it, this is a finding. If the McAfee Agent is running on the system, next confirm the system has the McAfee MOVE AV Client deployed and is being managed by the ePO server: Access a cmd window, running as administrator. Navigate to the directory to which the McAfee Agent is installed (default is C:\Program Files (x86)\McAfee\Common Framework). Open the McAfee Agent status monitor by executing the following command: cmdagent /s In the McAfee Agent Monitor, click the "Check New Policies" button. In the McAfee Agent Monitor, review the Agent Subsystem status lines and ensure there is a status for "Agent started performing ASCI", followed by a sequence of status lines showing the "Agent is sending PROPS VERSION package to ePO server" and "Agent communication session closed". These status lines will confirm the system is making a successful connection to the ePO server. Click the "Enforce Policies" button. In the McAfee Agent Monitor, review the Management status lines and ensure one shows a status of "Enforcing Policies for MOVEVOFF2600". This status line will confirm the system is enforcing policies for the McAfee MOVE AV Client. If McAfee Agent Status Monitor shows successful Agent Subsystem status lines of "Agent started performing ASCI", followed by a sequence of status lines showing the "Agent is sending PROPS VERSION package to ePO server" and "Agent communication session closed" and a Management status line of "Enforcing Policies for MOVEVOFF2600", this is not a finding. If either the system does not show "Agent started performing ASCI", followed by a sequence of status lines showing the "Agent is sending PROPS VERSION package to ePO server" and "Agent communication session closed", or does not show a Management status line of "Enforcing Policies for MOVEVOFF2600", this is a finding. |
Fix Text (F-48516r5_fix) |
---|
Access the ePO server. From the System Tree, select the Systems tab, find and click on the asset to which the McAfee MOVE AV [Multi-Platform] Client needs to be deployed to open its properties. If the asset is not in the ePO server system tree, configure a task to deploy the McAfee Agent to asset to which the McAfee MOVE AV Client will be deployed. Once the system is communicating with the ePO server and is in the ePO server system tree, find and click the asset to which the McAfee MOVE AV Client will be deployed to open its properties. Click on Actions, Agent, Modify Tasks on a Single System. Click on the "New Task" button. Name the new task "Deploy McAfee MOVE AV Client". For the "Type:", select "Product Deployment" from the drop-down list and click Next. For the "Products and components:", select "MOVE AV [Multi-Platform] Client" and ensure the "Action:" is "Install" and click Next. For the "Schedule status:", select "Enabled". Configure the schedule variable in accordance with local Change Control policy and click Next. On "Summary" TAB, click "Save", then "Close". Back at the "System Details" screen, click on the "Wake Up Agents" button. In the "Wake Up McAfee Agent" screen, for the "Force policy update:" settings, place a check in the "Force complete policy and task update" check box. Click on OK. |