UCF STIG Viewer Logo

The McAfee MOVE AV [Multi-Platform] Client General policy must be configured to enable the quarantine.


Overview

Finding ID Version Rule ID IA Controls Severity
V-42951 AV-MOVE-CLT-017 SV-55680r1_rule Medium
Description
Malware incident containment has two major components: stopping the spread of malware and preventing further damage to hosts. Disinfecting a file is generally preferable to quarantining it because the malware is removed and the original file restored; however, many infected files cannot be disinfected. Accordingly, antivirus software should be configured to attempt to disinfect infected files and to either quarantine or delete files that cannot be disinfected. By enabling the quarantine, organizations will have the ability to submit copies of unknown malware to their security software vendors for analysis and will able to conduct internal forensic evaluation.
STIG Date
McAfee MOVE 2.6/3.6.1 Multi-Platform Client STIG 2016-04-05

Details

Check Text ( C-49137r1_chk )
From the ePO server console System Tree, select the Systems tab, find and click on the asset to which the McAfee MOVE AV Client has been deployed. Select Actions, select Agent, and select Modify Policies on a Single System.

From the product drop-down list, select MOVE AV [Multi-Platform] Client. Click on the MOVE AV [Multi-Platform] Client policy to open the properties.

Under the Quarantine tab, locate the "Quarantine Configuration:" label. Ensure the "Enabled" check box is selected.

If the "Enabled" check box is not selected, this is a finding.

On the local client, access a cmd window, running as administrator.
Navigate to the path to which the McAfee AV Client has been installed (default is C:\Program Files\McAfee\MOVE AV Client on 32-bit systems or C:\Program Files(x86)\McAfee\MOVE AV Client on 64-bit systems).

Execute the following command:
mvadm config show

If the "QuarantineEnabled" does not have a value of 1, this is a finding.
Fix Text (F-48530r1_fix)
From the ePO server console System Tree, select the Systems tab, find and click on the asset to which the McAfee MOVE AV Client has been deployed. Select Actions, select Agent, and select Modify Policies on a Single System.

From the product drop-down list, select MOVE AV [Multi-Platform] Client. Click on the MOVE AV [Multi-Platform] Client policy to open the properties.

Under the Quarantine tab, locate the "Quarantine Configuration:" label. Select the "Enabled" check box.

Click Save.