UCF STIG Viewer Logo

The McAfee MOVE AV [Multi-Platform] Client General policy must be configured to expire cached scan results after a time period of no more than 24 hours.


Overview

Finding ID Version Rule ID IA Controls Severity
V-42943 AV-MOVE-CLT-008 SV-55672r2_rule Medium
Description
Antivirus software should be installed as soon after OS installation as possible and then updated with the latest signatures and antivirus software patches (to eliminate any known vulnerabilities in the antivirus software itself). The antivirus software should then perform a complete scan of the host to identify any potential infections. To support the security of the host, the antivirus software should be configured and maintained properly so it continues to be effective at detecting and stopping malware. Antivirus software is most effective when its signatures are fully up-to-date. Accordingly, antivirus software should be kept current with the latest signature and software updates to improve malware detection. The scan cache retains files previously scanned and determined to be clean. Since a cache scan result is not invalidated when a new antivirus signature (DAT) is received, and a cached file will only be re-scanned after the cached result expires, caching files past a 24 hour period allows for newly discovered malware to go undetected in those cached files. Cached files should expire after no more than 24 hours in order to be scanned with new antivirus signatures every day.
STIG Date
McAfee MOVE 2.6/3.6.1 Multi-Platform Client STIG 2016-04-05

Details

Check Text ( C-49129r1_chk )
From the ePO server console System Tree, select the Systems tab, find and click on the asset to which the McAfee MOVE AV Client has been deployed. Select Actions, select Agent, and select Modify Policies on a Single System.

From the product drop-down list, select MOVE AV [Multi-Platform] Client. Click on the MOVE AV [Multi-Platform] Client policy to open the properties.

Under the General tab, locate the "Cache Expiration Time:" label. Ensure the "Cached scan results expire after being cached for (hours):" box is configured with a value of 24 or less.

If the "Cached scan results expire after being cached for (hours):" setting is not configured with a value of 24 or less, this is a finding.

On the local client, access a cmd window, running as administrator.
Navigate to the path to which the McAfee AV Client has been installed (default is C:\Program Files\McAfee\MOVE AV Client on 32-bit systems or C:\Program Files(x86)\McAfee\MOVE AV Client on 64-bit systems).

Execute the following command:
mvadm config show

If the "CacheExpiration" setting is not set to a value of 24 or less, this is a finding.
Fix Text (F-48522r1_fix)
From the ePO server console System Tree, select the Systems tab, find and click on the asset to which the McAfee MOVE AV Client has been deployed. Select Actions, select Agent, and select Modify Policies on a Single System.

From the product drop-down list, select MOVE AV [Multi-Platform] Client. Click on the MOVE AV [Multi-Platform] Client policy to open the properties.

Under the General tab, locate the "Cache Expiration Time:" label. In the "Cached scan results expire after being cached for (hours):" box, enter a value of 24 or less.

Click Save.