Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-42955 | AV-MOVE-CLT-021 | SV-55684r1_rule | Medium |
Description |
---|
Malware incident containment has two major components: stopping the spread of malware and preventing further damage to hosts. Disinfecting a file is generally preferable to quarantining it because the malware is removed and the original file restored; however, many infected files cannot be disinfected. The primary goal of eradication is to remove malware from infected hosts. |
STIG | Date |
---|---|
McAfee MOVE 2.6/3.6.1 Multi-Platform Client STIG | 2016-04-05 |
Check Text ( C-49141r1_chk ) |
---|
From the ePO server console System Tree, select the Systems tab, find and click on the asset to which the McAfee MOVE AV Client has been deployed Select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select MOVE AV [Multi-Platform] Client. Click on the MOVE AV [Multi-Platform] Client policy to open the properties. Under the Actions tab, locate the "When a threat is found:" label. Ensure the "If the first action fails, then perform this action" drop-down box is configured to "Deny access to files." If the "When a threat is found: If the first action fails, then perform this action" setting is not configured to "Deny access to files", this is a finding. On the local client, access a cmd window, running as administrator. Navigate to the path to which the McAfee AV Client has been installed (default is C:\Program Files\McAfee\MOVE AV Client on 32-bit systems or C:\Program Files(x86)\McAfee\MOVE AV Client on 64-bit systems). Execute the following command: mvadm config show If the "ThreatAction2" does not have a value of 1, this is a finding. |
Fix Text (F-48534r1_fix) |
---|
From the ePO server console System Tree, select the Systems tab, find and click on the asset to which the McAfee MOVE AV Client has been deployed Select Actions, select Agent, and select Modify Policies on a Single System. From the product drop-down list, select MOVE AV [Multi-Platform] Client. Click on the MOVE AV [Multi-Platform] Client policy to open the properties. Under the Actions tab, locate the "When a threat is found:" label. Click on the drop-down box for "If the first action fails, then perform this action" and select "Deny access to files." Click Save. |